"504 Gateway Time-out" after removing BGPKiller (Avira anti-nag screen)

Just discovered a computer on our network with Avira and a program called "BGPKiller", which seems to kill the nag popups of Avira.

I've uninstalled this BGPKiller, removed Avira, and wand to test a legit Avira EndPoint installation, but we can't access Avira anymore from this computer.

Anyone got an idea how to solve this?

  • The computer seems to ping the right IP address when we ping avira.com and it reply.
  • The computer doesn't seems to have weird entries in it's HOSTS file

When we try to access avira.com from any browser installed on this specific computer, we get "504 Gateway Time-out" error.

Thanks
LVL 10
Christian de BellefeuilleProgrammerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dr. KlahnPrincipal Software EngineerCommented:
Anyone got an idea how to solve this?

Once a system has been infected, it is no longer trustworthy even if the infection was supposedly removed.  And the best reason for that is:  If anything remains and the system later reinfects itself, the blame will land squarely on your shoulders for saying "It's OK now."

Erase the system drive and restore from the most recent full system backup.
0
Christian de BellefeuilleProgrammerAuthor Commented:
I wouldn't be so sure it's "infected", and this PC is not critical.  Beside this, any idea that would help?

Years ago, there was an era where some bars and other stuff installed themselves within the  LSP.   We where not saying "Your computer is screwed, reinstall everything".  There was some easy fix out there.
0
nociSoftware EngineerCommented:
What you can do...
boot the system from Read Only media (DVD, CDROM, USB stick only if it can be make physical readonly ) with a toolkit you trust. (Other virus scanners (multiple...) ) and check the drive from there..., a LiveDVD should also be able to verify if (not using the installed OS) if there are problems with reaching avira in a regular way then.
If there are still problems ==> there is something between this system & avira to prevent updates.
If access works, then there is something ON the installed system that block access.
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

Christian de BellefeuilleProgrammerAuthor Commented:
I was wrong about the cause of this problem.  I've investigated a little more.  It has nothing to do with this BGPKiller.

All my devices (even thoses who never had an antivirus on it like my cell phone) were not able to access avira web site at all.

I've tested with my LTE cell phone connection, it worked perfectly.  I've also bypassed my router to connect directly into my modem to see if it's a web site blocked by my ISP, and it was also working.

So the problem come from the router itself
0
Christian de BellefeuilleProgrammerAuthor Commented:
It's a Nighthawk X6 R8000 model.   I've installed the latest firmware few minutes ago (v1.0.4.12_10.1_46

The problem is still present.

I check in the router logs, i see that all web sites i'm trying to reach appear there as "site allowed: c.speedtest.net" for example.  But nothing for avira... not blocked or allowed.

My router doesn't block outgoing connections.   No rules has been set for outgoing.  My UPNP is on to allow incoming to my WDCloud and i've set some port forward manually for http/https/ftp to reach my website at home for tests, but it shouldn't be the cause of this problem.
0
nociSoftware EngineerCommented:
On a linux system use dig (on windows you probably still need nslookup) to check if the DNS does resolve.
On you phone try to find out what the IP address of the site is. and check if you can ping there. (then if you can get access by IP).

If needed you could (for testing ONLY) add the avira site to the host file.. dont forget to remove it again.

This way you can validate if the problem is with name resolving or network access.
nslookup may give false positives,  due to not only use DNS for resolving names.
0
Christian de BellefeuilleProgrammerAuthor Commented:
@noci:

nslookup www.avira.com  give me some IPv6 addresses
  • 2a01:138:a001:101:1::1
  • 2a01:138:a001:101:1::2

ping www.avira.com give me 62.146.210.33 and it reply.

Adding www.avira.com (to  62.146.210.33) doesn't change anything.  Just tested it.  Still have gateway time-out.

name seems to resolve properly.  It can reach thru http than the web site push us  to the https, where it screw up.
0
nociSoftware EngineerCommented:
Hm. are you using a proxy that doesn't recognize the https part or a firewall that blocks port 443 instead of passing that on?
are you familiar with curl? it can handle http  (and other protocol from a  commandline)...   (available from: https://curl.haxx.se/ )

curl -v -L http://www.avira.com/  should show up what happens behind the screens.... like below:

$ curl -v -L http://62.146.210.33
* Rebuilt URL to: http://62.146.210.33/
*   Trying 62.146.210.33...
* TCP_NODELAY set
* Connected to 62.146.210.33 (62.146.210.33) port 80 (#0)
> GET / HTTP/1.1
> Host: 62.146.210.33
> User-Agent: curl/7.58.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Server: nginx
< Date: Mon, 05 Feb 2018 14:16:23 GMT
< Content-Type: text/html
< Content-Length: 178
< Connection: keep-alive
< Location: https://www.avira.com/
<
* Ignoring the response-body
* Connection #0 to host 62.146.210.33 left intact
* Issue another request to this URL: 'https://www.avira.com/'
*   Trying 2a01:138:a001:101:1::2...
* TCP_NODELAY set
*   Trying 62.146.210.33...
* TCP_NODELAY set
* Connected to www.avira.com (62.146.210.33) port 443 (#1)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* NPN, negotiated HTTP1.1
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Unknown (67):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: serialNumber=HRA 722586; jurisdictionC=DE; businessCategory=Private Organization; C=DE; postalCode=88069; ST=Baden-Wuerttemberg; L=Tettnang; street=Kaplaneiweg 1; O=Avira Operations GmbH & Co. KG; OU=Cloud, Services & Infrastructure; CN=www.avira.com
*  start date: Nov 14 00:00:00 2016 GMT
*  expire date: Feb 12 23:59:59 2019 GMT
*  subjectAltName: host "www.avira.com" matched cert's "www.avira.com"
*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO RSA Extended Validation Secure Server CA
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: www.avira.com
> User-Agent: curl/7.58.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx
< Date: Mon, 05 Feb 2018 14:16:23 GMT
< Content-Type: text/html
< Transfer-Encoding: chunked
< Connection: keep-alive
< X-Powered-By: PHP/5.5.9-1ubuntu4.21
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache
< Set-Cookie: language=en; expires=Wed, 07-Mar-2018 14:16:23 GMT; Max-Age=2592000; path=/; domain=.avira.com
< x-frame-options: sameorigin
< Vary: User-Agent, Accept
< Set-Cookie: av_cid=q1ZKzkxRslJKjzdNNLcwMzc2tzAwM0tT0lEqXDBL5JXm5NQCXDA%3D; expires=Tue, 05-Feb-2019 14:16:23 GMT; Max-Age=31536000; path=/; domain=.avira.com
<

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>

Open in new window


(I threw away some cookies... ) this may show what is effectively going wrong from your site.
if a proxy is needed add --proxy {proxyip} to the list.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Christian de BellefeuilleProgrammerAuthor Commented:
as far as i know, there's no proxy on my network.   Maybe one within the router and i'm not aware of that?

i've ran the command and redirected the output to "avira.html", and i confirm it can reach the web site thru http as i've specified.   Of course all the links are dead but i can load the core of the html file.

Here's what i've got at the beginning:

* Rebuilt URL to: http://www.avira.com/
*   Trying 62.146.210.31...
* TCP_NODELAY set
* Connected to www.avira.com (62.146.210.31) port 80 (#0)
> GET / HTTP/1.1
> Host: www.avira.com
> User-Agent: curl/7.53.1
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Server: nginx
< Date: Mon, 05 Feb 2018 21:15:00 GMT
< Content-Type: text/html
< Content-Length: 178
< Connection: keep-alive
< Location: https://www.avira.com/
<
* Ignoring the response-body
* Connection #0 to host www.avira.com left intact
* Issue another request to this URL: 'https://www.avira.com/'
*   Trying 62.146.210.31...
* TCP_NODELAY set
* Connected to www.avira.com (62.146.210.31) port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: C:\Program Files\cURL\bin\curl-ca-bundle.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* NPN, negotiated HTTP1.1
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Unknown (67):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: serialNumber=HRA 722586; jurisdictionC=DE; businessCategory=Private Organization; C=DE; postalCode=88069; ST=Baden-Wuerttemberg; L=Tettnang; street=Kaplaneiweg 1; O=Avira Operations GmbH & Co. KG; OU=Cloud, Services & Infrastructure; CN=www.avira.com
*  start date: Nov 14 00:00:00 2016 GMT
*  expire date: Feb 12 23:59:59 2019 GMT
*  subjectAltName: host "www.avira.com" matched cert's "www.avira.com"
*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO RSA Extended Validation Secure Server CA
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: www.avira.com
> User-Agent: curl/7.53.1
> Accept: */*

Open in new window

0
Christian de BellefeuilleProgrammerAuthor Commented:
note: if i run it this way, i'm getting a valid .html file too

curl -v --tlsv1.0 https://www.avira.com

Open in new window

0
Christian de BellefeuilleProgrammerAuthor Commented:
my browser doesn't have any proxy setting, no .PAC file anywhere, no WPAD, etc... and it wouldn't be the only web page having this problem.

Seriously, i'm getting to the point that this is a vendetta between Netgear and Avira because a while ago Avira reported one of the Netgear tool as beeing a virus.  

Another strange point: answers.avira.com is not blocked.  I can see this
Web page, which show what i'm talking about for Vendetta.
0
nociSoftware EngineerCommented:
In that case this is a clear error in Avira. (Or a whole bunch of official websites have virii...)  i tend to believe avira is the problem.
I wouldn't claim there is a vendetta..., just some javascript on various site triggers avira to break up the connection.
(or a difference in versions).  The hard part in writing anti-virus software is how to avoid false positives.... and avira probably still has to learn a few tricks.

Personaly i have no anti-virus for browsing i use uMatrix and only allow active content from sites i trust. (i have to do this manualy).
uMatrix exists for Chromium & Firefox . (I use the opensource Chromium, not Chrome with google stuff).
uMatrix can also filter Cookies, images, frames as separate classes.
0
Christian de BellefeuilleProgrammerAuthor Commented:
I personnally don't use Antivirus too.  But i have to evaluate what is the best Endpoint solution for a corp.

But i'm affraid its not a false positive since i've removed them all.   And my cell phone i've used for the test never had any antivirus installed.

It has to be some bug in the router firmware.   As i've said, bypassing the router (connecting my pc into the modem)  solve the problem.

We will never know for sure because i've not subscribed to their support contract and my router is more than 3 months old.  I've already contacted them and what they told me can't be told here.
0
nociSoftware EngineerCommented:
There are other providers of routers etc.
Turris Omnia, Zywall,  Microtik (no personal experience)  they all provide routers at reasonable prices.

I used a netgear switch in the past, i replaced it because of lack of some funtionality that one would still expect to be done by a switch.
0
Christian de BellefeuilleProgrammerAuthor Commented:
If it was not of the lack of support, i would give Netgear a thumbs up.  But at 2 occasions i had to deal with them:
  • I asked them if they could provide a release note explaining what each firmware update fix.  They asked me how long i had this router and if i've paid for a support contract with netgear.  My 300$ router was bought 6 months ago, so... their tech was not opened too much to give any information
  • this problem.

They don't seems to care about solving problem in their firmware.  So i guess that nobody will report them this problem and fix will never be done on that matter.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.