How to remediate – avast! Management Server Detection

1. Introduction

avast! Management Server Detection indicates a network management service is listening on your system. This service is used by avast! for remote deployment and management of antivirus software within an enterprise environment. It could allow unauthorized access to the management server, potentially impacting confidentiality, integrity, and availability if compromised. Affected systems are typically those running avast! Distributed Network Manager (ADNM) or avast! Managed Clients.

2. Technical Explanation

The remote service is a broadcast listener for avast! Management Server (AMS). Attackers could exploit this by gaining access to the management server and potentially deploying malicious software or altering configurations. The vulnerability occurs because the AMS service listens on a network port, making it accessible from the network.

• Root cause: The AMS service is listening for broadcast messages on a network port.
• Exploit mechanism: An attacker could connect to the exposed port and attempt to interact with the AMS service without proper authentication or authorization.
• Scope: Systems running avast! Distributed Network Manager (ADNM) and avast! Managed Clients are affected.

3. Detection and Assessment

To confirm vulnerability, check if the AMS service is listening on a network port. A thorough method involves examining network traffic for AMS-related broadcasts.

• Quick checks: Use netstat -an | grep to see if the AMS service is listening on any ports. Replace `` with the expected port used by avast! Management Server (default is often 139).
• Scanning: Nessus plugin ID 128765 can detect this issue, but results should be verified manually.
• Logs and evidence: Check system logs for events related to AMS service startup or network activity on the relevant port.

netstat -an | grep 139

4. Solution / Remediation Steps

Limit incoming traffic to the AMS port if desired. This reduces the attack surface without disrupting legitimate management functions.

4.1 Preparation

• Dependencies: Ensure you understand the impact of limiting access to the AMS port on your avast! management functions. A roll back plan is to restore the original firewall rules or service settings.
• Change window needs: Coordinate changes during a maintenance window to minimize disruption. Approval from the security team may be required.

4.2 Implementation

1. Step 1: Configure your firewall to allow only authorized IP addresses to connect to the AMS port (typically TCP port 139).
2. Step 2: Block all other incoming traffic on the AMS port.

4.3 Config or Code Example

Before

# Allow all connections to port 139 (example using iptables)
iptables -A INPUT -p tcp --dport 139 -j ACCEPT

After

# Allow only specific IP address(es) to connect to port 139 (example using iptables)
iptables -A INPUT -s  -p tcp --dport 139 -j ACCEPT
iptables -A INPUT -p tcp --dport 139 -j DROP

4.4 Security Practices Relevant to This Vulnerability

List only practices that directly address this vulnerability type. Use neutral wording and examples instead of fixed advice. For example: least privilege, input validation, safe defaults, secure headers, patch cadence. If a practice does not apply, do not include it.

• Practice 1: Least privilege to reduce the impact if exploited by limiting network access to only authorized systems.

4.5 Automation (Optional)

# Example PowerShell script to block port 139 except for specific IPs (use with caution)
$allowedIPs = @("192.168.1.10", "10.0.0.5")
foreach ($ip in $allowedIPs) {
  New-NetFirewallRule -DisplayName "Allow AMS from $($ip)" -Direction Inbound -Protocol TCP -LocalPort 139 -RemoteAddress $ip -Action Allow
}
New-NetFirewallRule -DisplayName "Block AMS" -Direction Inbound -Protocol TCP -LocalPort 139 -Action Block

5. Verification / Validation

Confirm the fix by checking firewall rules and verifying that only authorized IPs can connect to the AMS port. Perform a service smoke test to ensure avast! management functions are still working correctly.

• Post-fix check: Use netstat -an | grep again, and verify it is listening on the expected interface only.
• Re-test: Attempt to connect to the AMS port from an unauthorized IP address; the connection should be blocked.
• Smoke test: Verify that avast! antivirus definitions are still updating and scans are running as expected.
• Monitoring: Monitor firewall logs for any blocked connections to the AMS port, which could indicate attempted unauthorized access.

netstat -an | grep 139

6. Preventive Measures and Monitoring

Suggest only measures that are relevant to the vulnerability type. Use “for example” to keep advice conditional, not prescriptive.

• Baselines: Update your security baseline or policy to include a rule requiring restricted access to network management ports like 139.
• Pipelines: Add checks in your CI/CD pipeline to ensure that firewall rules are correctly configured during deployment.
• Asset and patch process: Implement a regular review cycle for firewall rules and security configurations.

7. Risks, Side Effects, and Roll Back

• Roll back: Remove the firewall rules created in Step 2, restoring the original configuration.

8. References and Resources

• Vendor advisory or bulletin: https://www.avast.com/index
• NVD or CVE entry: Not applicable (Info severity vulnerability).
• Product or platform documentation relevant to the fix: http://files.avast.com/files/eng/adnmag.pdf