Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Avast domains that shouldn't be blocked #4805

Closed
2 of 3 tasks
RejZoRSheep opened this issue Jan 7, 2025 · 9 comments
Closed
2 of 3 tasks

Avast domains that shouldn't be blocked #4805

RejZoRSheep opened this issue Jan 7, 2025 · 9 comments
Assignees
@hagezi
Labels
allow Allow domain(s) further analysis Further analysis necessary

Comments

@RejZoRSheep
Copy link

Which AdBlocker/DNS cloud service do you use?

NextDNS

Other

No response

ControlD users

  • IMPORTANT - I assure that I have not set the Block Response in ControlD to Custom or Branded and can confirm that the problem still occurs.

NextDNS users

  • IMPORTANT - I can assure that I disabled the block page in NextDNS and can confirm that the problem still occurs.

With which block list(s) does the problem occur?

Multi ULTIMATE

Which domain(s) should be unblocked?

v7event.stats.avast.com
v7.stats.avast.com

Why should the domain(s) be unblocked?

Given domains are dedicated to Avast's cloud system and VPS updating (micro updates) and shouldn't be blocked because it will affect the updating mechanism. Further explanation in link below where Avast team member lukor explains the use of these addresses.

https://community.avast.com/t/analytics-disabled-avast-still-connecting/754118

Privacy

  • I confirm that the report does not contain any private information.
@RejZoRSheep RejZoRSheep added the allow Allow domain(s) label Jan 7, 2025
@hagezi
Copy link
Owner

hagezi commented Jan 7, 2025

ref: https://community.avast.com/t/analytics-disabled-avast-still-connecting/754118/15

@hagezi hagezi added the further analysis Further analysis necessary label Jan 7, 2025
@hagezi
Copy link
Owner

hagezi commented Jan 7, 2025
edited
Loading

*.stats.avast.com have been blocked in all known lists for ages and so far there have been no reports of anything not working as a result. The post you linked to is 6 years old.

Especially if something like the automatic download of the virus database would not work, there would have been reports about it.

I could download the product and test it myself, but such products are not allowed on my devices.

@celenityy @bongochong what is your opinion on this?

@RejZoRSheep
Copy link
Author

That post was 6 years old and I was heavily involved in Avast and even I only noticed it when I started using DNS blocking service with 3rd party lists. And even I didn't know that these weren't suppose to be blocked, the list I was using just had them included (it was Energized list back then it appears). So, that's not really indication of anything as most lists just include everything that contains stats/events/analytics in the name even if they aren't actually that. It might be correct in most cases, but not in this one.

Also VPS system is unique and not really used by any other antivirus. The way Avast works is they have a regular signature update that happens only once every few hours and the streaming VPS updates are released every few minutes, downloaded by client and added to the cumulative signatures database. They picked this method opposed to being permanently connected to the cloud like basically all other antiviruses are doing. This means you're always as up to date as possible even if you disconnect this moment. Where all other antiviruses use base signatures and permanent cloud connection for queries. If that connection is severed, you fall back to hours old main signatures database. 25 years ago that wouldn't be big of a deal, but today in current climate of how quickly things get released, it is important. With Avast, you only fall back for couple of minutes.

Thing is, if streaming VPS updates are failing, Avast is not notifying user about it in any way so it's not possible for people to just know it's not actually working. For example, my client received last main VPS update at 17:00 today, but there is no indication on when I last received the streaming VPS update, if at all.

@hagezi
Copy link
Owner

hagezi commented Jan 7, 2025
edited
Loading

Thanks for the details @RejZoRSheep.

Subdomains on stats.avast.com:

hist.stats.avast.com
lc.stats.avast.com
v7event.stats.avast.com
v7.stats.avast.com
v9.stats.avast.com

@celenityy
Copy link
Contributor

I don't think we should unblock these, and I'll explain why.

1: Based on my research, these are definitely used for telemetry.

Ex:

POST /cgi-bin/iavs4stats.cgi HTTP/1.1
Host: v7.stats.avast.com
User-Agent: avast! Antivirus (instup)
Accept: */*
Content-MD5:
Content-Type: iavs4/stats
Content-Length:

GCHBitmap=0
GChBrand=AVFC
GTBBitmap=0
GTBBrand=
InstupVersion=19.5.4444.0
IsVirtual=1
NoRegistration=0
OfferEvent=0
OfferResult=2
SZB=0
ScAsAvastReg=1
ScAsAvastStatus=off
ScAsOtherList=Windows Defender Antivirus,Avast Antivirus,
ScAsOtherReg=2
ScAsOtherStatus=on,off,
ScAvAvastReg=1
ScAvAvastStatus=off
ScAvOtherList=Windows Defender Antivirus,Avast Antivirus,
ScAvOtherReg=2
ScAvOtherStatus=on,off,
ScFwAvastReg=0
ScFwAvastStatus=
ScFwOtherList=Windows Firewall,
ScFwOtherReg=1
ScFwOtherStatus=on,
ShepherdConfigName=Avast-Windows-AV-Consumer_email-signatures_antitrack-production_production-new-installs_version-18.6-and-higher_driver-updater-production_v19.3-and-higher_v18.7-and-higher_v2017_test-datasharing-consent_test-antitrack-text-b_free_test-upsell-screens_smartscan-last-screen_new-recomendo_production_version-17.9-and-higher_avast-19-r5_smartscan-free---antivirus_v18.3-and-higher_alpha-new-installs_mybackend-on_test-pam-no-master-password_v18.5-and-higher_chrome-installed-by-avast_cleanup-premium-installation
UpdatingTime=0
WEI_Cpu=8.4
WEI_D3D=9.9
WEI_Disk=7.3
WEI_Graphics=2.4
WEI_Memory=5.5
WEI_SystemRating=2.4
boot_time_scan_accepted=0
boot_time_scan_offered=0
brandCode=AVFC
bytes=199216597
bytesOK=199216597
community=1
cookie=mmm_ava_tst_004_762_b
cpu_name=Intel(R) Core(TM) i7-7700 CPU @ 2.80GHz,4
custom_scan_created=0
edition=1
gsMainStatus=0
gsNoticeNotifs=0
gsUrgentNotifs=0
gsWarningNotifs=0
gui_opened=4
gui_settings_altered=0
gui_settings_opened=0
guid=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
help_opened=0
idate_w=1508774395
lan_addr=tokyoneon-PC
lan_ip=192.168.1.152
lang=0409
licAlpha=1
licExpDays=30
licExpirationDate=1562974590
licFeature=5f0231d7-4c46-4855-8199-5d0cb185d427
licIssuedDate=1560382590
licSchemaId=avast-free-1s1m_1s1m
licType=Trial
licType2=4
offerInstReturn=0
offerReasons=0
offerType=1
on_demand_scan_invoked=0
operation=3
os=win,10,0,2,16299,0,AMD64
part.program=2378,2378,0,0
part.setup=2378,2378,0,0
part.vps=419828228,419828228,0,0
passive_mode=0
product=ais
ram_mb=4990
repo_id=iavs9x
serial=0
silent=0
status=00000000
statver=2.20
tspan=454
tspanOK=454
version=19.5.2378
statsSendTime=1260399041

2: Looking at Avast's own server definitions, it looks like the stats URLs are defined separately from the URLs required for VPS:

Ex:

[server0]
name=Download j4885442 AVAST5 Server
url=http://d1869353.test5beta.u.avast.com/test5beta
urlpgm=http://d1869353.beta9x.u.avast.com/beta9x
urlvps=http://d1869353.ivps9x.u.avast.com/ivps9x
stats=http://v7.stats.avast.com/cgi-bin/iavs4stats.cgi
stats2=http://v7.stats.avast.com/cgi-bin/iavs4stats.cgi
submit=http://sm00.avast.com/cgi-bin/iavsup2.cgi
submit5=http://submit5.avast.com/cgi-bin/submit50.cgi
geoIP=http://geoip.avast.com/geoip/geoip.php
weight=20

3: It looks like (at least as of September 2023) Avast actually does notify users when virus definitions are outdated - and shows the version of them you have installed. Ref. So this goes back to @hagezi's point:

Especially if something like the automatic download of the virus database would not work, there would have been reports about it.

Due to these factors, I don't see any reason to believe these domains are actually required for VPS updates. The only place I can see this requirement mentioned is from lukor on the forum post linked above; I can't find any prior issues/reports of breakage/etc...

So, unless we can test & definitively prove that blocking these domains breaks VPS updates (Which shouldn't be difficult to do based on the info I provided in 3 & the info @RejZoRSheep provided that the database updates every few minutes - though like @hagezi, I don't use any Avast products/services, and explicitly block them on my network...), I don't see a reason to unblock them.

PS: Stumbled across this article while researching - so here's your obligatory: Do not use Avast products...

@hagezi
Copy link
Owner

hagezi commented Jan 8, 2025

Many thanks for the great work and assistance @celenityy

@bongochong
Copy link

Very useful information and research in here. Thank you for pinging me @hagezi. I've been far busier than usual this week. Echoing the thanks to @celenityy as well. Much appreciated.

@RejZoRSheep
Copy link
Author

@celenityy
Avast does NOT notify users about non functioning or outdated streaming updates. It only warns if your primary VPS definitions are out of date.

@hagezi
Copy link
Owner

hagezi commented Jan 9, 2025

Remains blocked in Pro, Pro++, Ultimate.

@hagezi hagezi closed this as completed Jan 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hagezi hagezi

Labels
allow Allow domain(s) further analysis Further analysis necessary
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@bongochong @RejZoRSheep @hagezi @celenityy