IP Blocker - process = avastsvc.exe

[sys-eng]

I have noticed several times that Malwarebytes IP blocker stopping attempts to access websites that I am not trying to go to. The latest one is in the log as:

IP-BLOCK 212.117.183.163 (Type: outgoing, Port: 60501, Process: avastsvc.exe)

Any idea why avastsvc.exe would be blamed for this? I am guessing that a link to this IP was in an e-mail message that came into Outlook and was scanned before I could open or delete it but I would not think that Avast was actually trying to go to the site.

Any ideas?

[AdvancedSetup]

Well certainly appears to be a bad site. 743 hits for that IP in Stop Forum Spam's database alone.

Might want to follow one of the directions below and have one of the Experts assist you in verifying nothing is on the system that doesn't belong there.

If you think you are infected, here are the steps needed to get your computer cleaned....

Please read the following so that you can begin the cleaning process:

You have 3 Options that you can choose from as listed below:

• Option 1

[sys-eng]

advancedsetup:

I believe you misunderstood my question.

Do you have any ideas why Avast would be listed as the process for this block?

[AdvancedSetup]

Difficult to say really without using some type of monitoring software. Just guessing I would think that it is checking on it and thus being flagged. Don't forget that that we're simply pulling back the latest application observed in the process when it may have come along after the fact. One would need a much lower level monitoring agent to determine what is really going on.

Unlikely but it's been seen before that an infection has overwritten the actual Anti-Virus with it's own executable.

If you are interested in trying to dig in deeper what might be causing this on your own then I'd suggest obtaining the following tools which can provide greater insight as to what's going on.

Process Monitor

Process Explorer

You could also use a program like WireShark

I wish I could give you a specific reason but as said it is difficult to tell for sure without analysis.

If you want you can still have someone assist you in reviewing what's going on but those tools are pretty good at helping to track it down as well.

[sys-eng]

Thanks, I have Process Monitor so I will try that.

I believe it is as I first suspected - Avast scanning something and Malwarebytes picked up on it.

[AdvancedSetup]

According to our QC Team the following should be true.

Avast! filters all web traffic, including browser traffic, so whenever a connection is made or attempted, Avast!'s process will show up as the process making the connection (because this is how Windows sees it), therefore all IP blocks will show Avast!'s process as the process being blocked.

The same is true of Kaspersky.

[Merit_support]

According to our QC Team the following should be true.

Avast! filters all web traffic, including browser traffic, so whenever a connection is made or attempted, Avast!'s process will show up as the process making the connection (because this is how Windows sees it), therefore all IP blocks will show Avast!'s process as the process being blocked.

The same is true of Kaspersky.

That is good to know. I have seen that behavior before and wondered about it.

I highly recommend including your explanation in the program documention.