This site is for Avast Business products only. For articles on AVG Business products, see AVG Business Help. If you are in the right place but cannot find what you are looking for, please contact Avast Business Support for further assistance.

Remote Access Shield

This Article Applies to:

  • Avast Business Hub

 

Remote Desktop Protocol (RDP) is considered the most dominant cybersecurity attack vector. Besides spreading malware, RDP attacks are used by skilled hackers to infiltrate corporate environments. RDP evades security layers in most antivirus software and compromises the system directly.

The two most common ways of using RDP to gain access to a computer are:

  • Brute-force attack: The attackers attempt to sign in to an account by using trial-and-error methods. These can include repeatedly trying to log in with commonly used or stolen credentials, leading to many failed sign-ins occurring over very short time frequencies, typically minutes or even seconds.
  • Unpatched OS: The operating system is vulnerable to known Remote Desktop exploits. An example is BlueKeep, which allows the attacker to run malicious code in the kernel memory of the server, taking control of the entire system.

 

Avast's Remote Access Shield is designed to protect your devices from Remote Desktop vulnerabilities by:

  • Letting you choose who can remotely access the protected computer using Remote Desktop, blocking all other connection attempts
  • Automatically blocking any detected brute-force attacks trying to crack the protected computer's credentials
  • Automatically blocking detected connections attempting to use Remote Desktop exploits like BlueKeep to take control of the protected computer
  • Automatically blocking detected Remote Desktop connections from high-risk IP addresses
  • Notifying you about Remote Desktop connection attempts blocked by Avast

Configuring Remote Access Shield Settings

To access Remote Access Shield settings:

  1. Open the Policies page
  2. Click the desired policy to open its Detail drawer
  3. Click the Settings tab, then Antivirus
  4. Expand the Remote Access Shield section

Here, you can enable/disable the following options:

  • Protect me when using Remote Desktop connections: Monitors RDP connections and blocks any threats
  • Protect me when using Samba connections: Samba (SMB) is used for remote connection to file shares in a network, enabling this feature will block any threats using this protocol
  • Notify me about blocked connections : Displays dialog to the local user about blocked connections (see Receiving Blocked Connection Notifications)
  • Block brute-force attacks: Prevents multiple attempts to crack RDP, SMB
  • Block malicious IP addresses: Blocks connections from known malicious IP addresses
  • Block Remote Desktop exploits: Protects the device against known RDP exploits
  • Block all connections except the following: Allows adding IP addresses to allow those connections (see Allowing Specified Connections Only)

Receiving Blocked Connection Notifications

When the Notify me about blocked connections setting is enabled, the Incoming connection blocked notification will pop up on the end device each time a remote connection is prevented.

Remote Access Shield will display several types of detections:

  • High-risk IP addresses: Malicious IP addresses that are dangerous to RDP connections
  • Brute-force attacks: Multiple unsuccessful log in attempts trying to access your PC
  • Remote Desktop exploits: RDP vulnerabilities used by hackers to take control of your PC and spread malware

There is no action needed from the user, as the connection is simply blocked. The following settings will automatically apply to protect against malicious connection attempts:

  • 6 unsuccessful RDP connection attempts in 10 seconds
  • 12 unsuccessful SMB connection attempts in 10 seconds

A brute-force attack detection will block the detected IP address for 24 hours.

Allowing Specified Connections Only

To allow only certain Remote Desktop connections:

  1. Tick the checkbox next to the Block all connections except the following
  2. Click + IP addresses for exclusions
  1. In the dialog that opens, enter the IP address(es) or range(s) from which you want to allow connections
  2. Click IP addresses for exclusions

The specified IP address(es)/range(s) will then be added to the list. You can edit/remove any entry using the pencil/trash bin icon in the Actions column.

Note that this list will not override brute-force attack blocks.

FAQ