Client behaviour - Application usage details explanation
Master Member
Hello everyone,
I have a client inside a network that seems to have something related to Avast:
In reality it is a domain client, without the possibility to install anything.
So I remotely connected to it looking for Avast traces but I did not see something reasonable considering the quick analysis.
Which sort of way of classification does Nebula use to identify "Application usage"?
How can I see if those 337MB are related to web traffic or server traffic? Like where is the origin of this traffic?
All Replies
-
Hi @GiuseppeR,
Regarding your question, taking Facebook as an example, users do not necessarily need to have the Facebook app installed, but can still browse Facebook via a web browser. In the same way, even if Avast is not installed on the PC, traffic can still be classified as Avast if the client accesses Avast-related domains (website).
To confirm the traffic originating from, please follow the steps:
- Create an application profile for Avast.
- Add a security policy that allows/references this application profile.
- Then check the event log — if this rule is hit, you will see the destination IP and port information. This will help verify whether the traffic is indeed originating from Avast servers.
If you still have concerns about the Application Usage results after this check, we would kindly ask you to enable the Zyxel Support Access and provide the Org & site name via private message so that we can further observe and analyze the behavior.
Zyxel Tina
0 -
0
-
Hi @GiuseppeR,
Sorry for the late reply!
Regarding your question, the settings look correct. Please note that after applying them, you may need to observe for a while until the policy is hit again. If you encounter any further issues, please feel free to provide us with more information so we can assist you better.
Zyxel Tina
0 -
Hi @Zyxel_Tina
sent you some examples of those logs, to share details.
0 -
Hi @GiuseppeR,
According to the log you provided, we now know the specific clients and timestamps to have Avast-related traffic, we suggest checking with the NAS manufacturer whether their devices have any Avast-related applications or settings that might trigger traffic classified under the "Avast_check" rule.
Please consult your NAS vendor to verify this possibility. If you have any further questions, feel free to share :)
Zyxel Tina
0 -
Hi @Zyxel_Tina
sent you IP infos via PM, to avoid publishing them online for privacy.
0
Categories
- All Categories
- 439 Beta Program
- 2.8K Nebula
- 199 Nebula Ideas
- 124 Nebula Status and Incidents
- 6.3K Security
- 488 USG FLEX H Series
- 322 Security Ideas
- 1.6K Switch
- 83 Switch Ideas
- 1.3K Wireless
- 46 Wireless Ideas
- 6.8K Consumer Product
- 284 Service & License
- 455 News and Release
- 89 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 4.3K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 93 Security Highlight
