Get this font in here!
This Article Applies to:
- Avast Small Business Solutions
- Avast Small Office Protection
Remote Desktop Protocol (RDP) is considered the most dominant cybersecurity attack vector. Besides spreading malware, RDP attacks are used by skilled hackers to infiltrate corporate environments. RDP evades security layers in most antivirus software and compromises the system directly.
The two most common ways of using RDP to gain access to a computer are:
- Brute-force attack: The attackers attempt to sign in to an account by using trial-and-error methods. These can include repeatedly trying to log in with commonly used or stolen credentials, leading to many failed sign-ins occurring over very short time frequencies, typically minutes or even seconds.
- Unpatched OS: The operating system is vulnerable to known Remote Desktop exploits. An example is BlueKeep, which allows the attacker to run malicious code in the kernel memory of the server, taking control of the entire system.
Avast's Remote Access Shield protects your devices from Remote Desktop vulnerabilities by:
- Letting you choose who can remotely access the protected computer using Remote Desktop, blocking all other connection attempts
- Automatically blocking any brute-force attacks trying to crack the protected computer's credentials
- Automatically blocking connections attempting to use Remote Desktop exploits like BlueKeep to take control of the protected computer
- Automatically blocking Remote Desktop connections from high-risk IP addresses
- Notifying you about Remote Desktop connection attempts blocked by Avast
This component can be accessed from the
On the Remote Access Shield screen, you can enable/disable the component and view the connection attempts on the system.
If no connections have been attempted, there will be an empty landing screen.
If a connection is attempted, it will be listed here with its result (allowed or blocked), including the exact date and time and the IP address from where the connection was made.
Hovering over the information icon (next to each entry) will provide some detail about the connection type.
Configuring Remote Access Shield Settings
Advanced Remote Access Shield settings can be accessed by either clicking the gear icon on the Remote Access Shield screen or navigating to Menu > Settings > Protection > Remote Access Shield.
The following options are available here:
- Enable RDP protection: Monitors RDP connections and blocks any threats
- Enable Samba protection: Samba (SMB) is used for remote connection to file shares in a network, enabling this feature will block any threats using this protocol
- Notify me about blocked
connection attempts: Displays dialog to the local user about blocked connections (see Receiving Blocked Connection Notifications)
- Block brute-force attacks: Prevents multiple attempts to crack RDP, SMB
- Block malicious IP addresses: Blocks connections from known malicious IP addresses
- Block Remote Desktop exploits: Protects the device against known RDP exploits
- Block all connections except the following: Allows adding IP addresses to allow those connections (see Allowing Specified Connections Only)
When the Notify me about blocked connection attempts setting is enabled, the Incoming connection blocked notification will pop up each time a remote connection is prevented. To see information such as the detection type and the IP address from which the connection was attempted, expand the detail section.
Remote Access Shield will display several types of detections:
- High-risk IP addresses: Malicious IP addresses that are dangerous to RDP connections
- Brute-force attacks: Multiple unsuccessful log in attempts trying to access your PC
- Remote Desktop exploits: RDP vulnerabilities used by hackers to take control of your PC and spread malware
There is no action needed from the user, as the connection is simply blocked. The following settings will automatically apply to protect against malicious connection attempts:
- 6 unsuccessful RDP connection attempts in 10 seconds
- 12 unsuccessful SMB connection attempts in 10 seconds
A brute-force attack detection will block the detected IP address for 24 hours.
To allow only certain Remote Desktop connections:
- Tick the checkbox next to the Block all connections except the following setting
- In the dialog that opens, enter the IP address or range from which you want to allow connections
- Click Allow
The added IP address/range will be visible at the bottom of the settings screen. Hovering over the entry will display the options to edit or remove it. Clicking the Add button will let you to add more addresses to the list.
Note that this list will not override brute-force attack blocks.
The option is not a true "exception" list, brute-force detections will not be overridden by the list. In most cases, there is a misconfigured device in the network causing false alerts.
If there is an incorrect block, contact Avast Business Support.
RDP and Samba (SMB). More may be added in the future.
Windows desktop and Windows server.
Use strong passwords, and only allow trusted IP addresses to connect to the devices.
Other Articles In This Section: