Home Support

AVG Support Community

Share tips and solutions on AVG Products

Have a question?

Community topics

AVG Gurus

These community experts are here to help

  • (AB) Alan Binch
  • (BA) Borislav Angelov
  • (VB) Vladimir Bartl
  • (SK) Subhadeep Kanungo
  • (MS) Miloslav Serba
Danilo MassaDanilo Massa 

Network ssh scan

Hello, two days ago my wife has updated her installation of AVG Internet Security product (subscribed one, not freeware or trial) and just few seconds after I have noticed a distributed brute force attack on all my devices with ssh enables (like Linux PC ones, commercial NAS, home automation devices, and so on) coming from her PC. 
The bruteforce has used some account names like:
- root
- admin
- admin1
- 666666
- 888888
- supervisor
- guest
- Dinion

I have take an investigation on her PC but I have not find anythingc and before go deep I would like to know if this scanning is a feature of AVG... someone can let me know?

Thanks in advance
Sreenu YadavalliSreenu Yadavalli (Avast)
Hello Danilo,

We are glad to look into this and help you.
AVG Internet Security has a remote desktop shield which will block the Brute force attack.
Remote Access shield prevents your computer from brute force attack. For more info, you can check this article (https://bit.ly/3hvEvWo).
Thank you.
Danilo MassaDanilo Massa
Hello Sreenu,
I'm sorry but this is not the answer to my question...
I'am asking if AVG software can be the originator of this kind of scanning. After a first and quick analisys the only software that was doing some kind of unusual activity was the update of AVG internet security (licensed).
Before to go ahead with a (time consuming) full forensic analysis I would like to be sure that the "attack" was not binded to the product. 

Veeramani SivakumarVeeramani Sivakumar (Sitel)
Hello Danilo, 

We are sorry for the confusion. We are here to clarify you. 

AVG Internet Security  is protection program and it will not cause these kind of attacks. If user installed AVG Internet security and remote shield component it ON, allows you to control which IP addresses can remotely access your PC, and blocks all other connection attempts. 

Could you please share the screenshot (https://support.avg.com/SupportArticleView?urlname=AVG-Create-screenshot)of the message which you received about Brute Force attack? So, we will check and help you with it.

You can post the screenshot here in your topic. Click on Answer & then click on the Image [mountain symbol] & follow the instructions. Thanks in advance.
Danilo MassaDanilo Massa
Hello Veeramani,
Thank for your answer, I do not have any screenshot to publish, at least not from AVG product. I have got the alert from my NIDS product installed on my home network, and I have seen the bruteforce events on my SIEM (obviously I have also analyzed all the original logs file from the impacted Linux machines and from the NAS). The source IP address was the one assigned to my wife's laptop and the scan started after 2 seconds the AVG engine update completition.
I have made a quick live analisys of my wife PC but I do not find anything. 
If this kind of scan is not a feature of AVG I must proceed with a full forensic analisys (sigh).
If I find a new malware sample I will provide it to you.

Thank again for your time and effort. 
Dinesh KrishnanDinesh Krishnan (Foundever)
Thank you for clarifying, Danilo.
From your message, we see that you're receiving the notification regarding brute force attack from your NIDS product. 
You can be rest assured that AVG Remote access shield will scan & notify if there are any brute force attacks. It will not create an attempt on other devices. It seems that the same feature might be available on your NIDS & the filter/sensitivity would be set to high, which may result in false detection. 
However, you can proceed to further investigate & share us the screenshot of the message, if you receive it again.
If you still suspect that AVG might cause the issue, you can uninstall AVG from your wife's laptop & check. 
Danilo MassaDanilo Massa
Hello Dinesh,
Just for your information, I have discovered that is AVG to execute this kind of bruteforce when you do a network scanning using the "Network Inspector" feature. At present time I am very busy but in the past I have raised a legal issue to the producer of another security software that have integrated in his product a similar feature. Here in Italy (and may be in other countries) is illegal to execute a network scan and after that execute a brute force of the discovered services without to ask a written permission before to the owner, in Italy this is a criminal offence and if the activity create damages there is a increase of punishement.
I will suggest to AVG at least to warn the user before the network scanning and providing a report with all the "border line" actions at the end of the scan.

Veeramani SivakumarVeeramani Sivakumar (Sitel)
Hello Dinilo, 

Thank you for the suggestion. We will forward your feedback to concerned team to improve the our product features. 

If you need any help with AVG, feel free to contact us at anytime. 
She LobShe Lob
Danilo is absolutely right and I have just experienced the exact same behavior on my son's laptop. The same list of user accounts and brute-force hack attempts. Took me 2 hours to troubleshoot and try various virus and malware scanners.
It is clearly AVG that is triggering this network scan and brute-force attack. This is entirely unacceptable and in many countries ILLEGAL !!!! As a result a NAS server that is part of my home network blacklisted the related IP. So because of this unacceptable scan any shares on that NAS can no longer be accessed from that laptop. Ridiculous.
What is the purpose of this? Well, given the user names that are tried here AVG is scanning the network to find any attached IP cameras which have their default logins enabled. Probably to then try and upsell a full license to address that. Sorry guys, that is not acceptable.
The fact that the initial responses dodged the very clear question but also tried to upsell does not make that better.
I STRONGLY advise your strategic and legal team to look at this and remove this practice immediately. For me, I will remove all your products immediately and will never install nay of them ever again.
Hari ShankarHari Shankar (Avast)
Hello She,
We're sorry to know that you feel this way.
Please be informed that AVG is designed to protect your computer against harmful viruses, threats and hackers. It will block the unknown connections and malicious activities on your PC, it will protect your pc in real-time.
For better clarification, we request you to create a separate AVG community post by clicking the link below and post your questions in your own post.
Thank you for your understanding.
Danilo MassaDanilo Massa
Hello Hari,
from your answer "AVG is designed to protect your computer" but in my humble opinion it do not must try to damage the other computers/devices connected to my network without at least provide a clear information BEFORE to execute this kind of activity.

Sreenu YadavalliSreenu Yadavalli (Avast)
Hello Danilo,

We apologize for the inconvenience caused to you.
We have escalated this case to our senior level team and they will help you with the update via. email.
Request your patience and understanding!
Thank you.
Jovana LeticaJovana Letica (Avast)

Hello Danilo. I'm Jovana from senior support and I'll gladly help.

I understand how these "attacks" may seem, and I'm sorry for the worry caused by it, but they are a genuine performance of the Network Inspector feature.

In simple words, AVG Internet Security's feature, Network Inspector, is occasionally running a background scan of network devices, to check for any "weak" or "default" passwords. This is what you're seeing in the mentioned reports.
You can turn this scan off in AVG Internet Security's app:
Menu > Settings > Basic Protection > Network Inspector > uncheck the box next to "Rescan home networks automatically"

If you find any intrusions after you've turned the scan off, please let me know so we can further investigate.

I hope this clarifies. Feel free to write back if you need any other help.

Pal DosanjPal Dosanj
        thanks for posting this here!

Around the same time I have also been bruteforce "attacks" trying to access some of my home network devices.  Firstly, my wifes notebook and then my son's & I was also able to trace it back to when AVG was running scans on their notebooks.

This is definately a feature was only just recently enabled by AVG.  Plus, I see no need for this type of activity.  We do not even know what AVG are doing with the data even if you were successful in gaining access to other devices.

So, on public networks it may seem that my notebook is trying to potentially brute "attack" other devices.  

This is totally unacceptable. 



Veeramani SivakumarVeeramani Sivakumar (Sitel)
Hello Pal,

We are sorry if you feel like that. We will surely check and help you to clarify it.
Could you please share the screenshot (https://support.avg.com/SupportArticleView?urlname=AVG-Create-screenshot) of the "attack message" which you received from other connected devices? 
Also, please confirm the version of AVG Internet Security program and operating system installed in your devices. 
You can post the screenshot here in your topic. Click on Answer & then click on the Image [mountain symbol] & follow the instructions. Thanks in advance.
Ask a question
Struggling with non-AVG technology? We can fix that, too!