Get this font in here!
This Article Applies to:
- Avast Business Hub
Remote Desktop Protocol (RDP) is considered the most dominant cybersecurity attack vector. Besides spreading malware, RDP attacks are used by skilled hackers to infiltrate corporate environments. RDP evades security layers in most antivirus software and compromises the system directly.
The two most common ways of using RDP to gain access to a computer are:
- Brute-force attack: The attackers attempt to sign in to an account by using trial-and-error methods. These can include repeatedly trying to log in with commonly used or stolen credentials, leading to many failed sign-ins occurring over very short time frequencies, typically minutes or even seconds.
- Unpatched OS: The operating system is vulnerable to known Remote Desktop exploits. An example is BlueKeep, which allows the attacker to run malicious code in the kernel memory of the server, taking control of the entire system.
Avast's Remote Access Shield protects your devices from Remote Desktop vulnerabilities by:
- Letting you choose who can remotely access the protected computer using Remote Desktop, blocking all other connection attempts
- Automatically blocking any brute-force attacks trying to crack the protected computer's credentials
- Automatically blocking connections attempting to use Remote Desktop exploits like BlueKeep to take control of the protected computer
- Automatically blocking Remote Desktop connections from high-risk IP addresses
- Notifying you about Remote Desktop connection attempts blocked by Avast
To access Remote Access Shield settings:
- Open the Policies page
- Click the desired policy to open its Detail drawer
- Click the Settings tab, then Antivirus
- Expand the Remote Access Shield section
Here, you can enable/disable the following options:
- Protect me when using Remote Desktop connections: Monitors RDP connections and blocks any threats
- Protect me when using Samba connections: Samba (SMB) is used for remote connection to file shares in a network, enabling this feature will block any threats using this protocol
- Notify me about blocked
connections: Displays dialog to the local user about blocked connections (see Receiving Blocked Connection Notifications)
- Block brute-force attacks: Prevents multiple attempts to crack RDP, SMB
- Block malicious IP addresses: Blocks connections from known malicious IP addresses
- Block Remote Desktop exploits: Protects the device against known RDP exploits
- Block all connections except the following: Allows adding IP addresses to allow those connections (see Allowing Specified Connections Only)
When the Notify me about blocked connections setting is enabled, the Incoming connection blocked notification will pop up on the end device each time a remote connection is prevented.
Remote Access Shield will display several types of detections:
- High-risk IP addresses: Malicious IP addresses that are dangerous to RDP connections
- Brute-force attacks: Multiple unsuccessful log in attempts trying to access your PC
- Remote Desktop exploits: RDP vulnerabilities used by hackers to take control of your PC and spread malware
There is no action needed from the user, as the connection is simply blocked. The following settings will automatically apply to protect against malicious connection attempts:
- 6 unsuccessful RDP connection attempts in 10 seconds
- 12 unsuccessful SMB connection attempts in 10 seconds
A brute-force attack detection will block the detected IP address for 24 hours.
To allow only certain Remote Desktop connections:
- Tick the checkbox next to the Block all connections except the following
- Click + IP addresses for exclusions
- In the dialog that opens, enter the IP address(es) or range(s) from which you want to allow connections
- Click IP addresses for exclusions
The specified IP address(es)/range(s) will then be added to the list. You can edit/remove any entry using the pencil/trash bin icon in the Actions column.
Note that this list will not override brute-force attack blocks.
The option is not a true "exception" list, brute-force detections will not be overridden by the list. In most cases, there is a misconfigured device in the network causing false alerts.
If there is an incorrect block, contact Avast Business Support.
RDP and Samba (SMB). More may be added in the future.
Windows desktop and Windows server.
Use strong passwords, and only allow trusted IP addresses to connect to the devices.
Other Articles In This Section: