RobbK
-
Posts
4 -
Joined
-
Last visited
Posts posted by RobbK
-
-
I'm using Outpost Firewall to monitor network activity and access to DNS api.
How are you determining this is occurring? You using Wireshark or the like?The point is, ekrn.exe queries DNS server every 5 minutes
-
With ALL modules and scheduled tasks disabled the result is same - a DNS query every 5 minutes.I'd suggest checking it with LiveGrid disabled. The protection status turns red if LiveGrid is disabled, is that the case?
Of course, disabling LiveGrid is not recommended as it substantially deteriorates protection and cleaning capabilities of the product.
Yes, of course. I should have communicated better.
I assume you are referring to outbound port 53 connections?While idling i'm seeing unusual DNS requests without subsequent connection originating from ekrn.exe every 5 minutes.
The only outbound connections on port 53 should be to your ISP or third party DNS, if so configured, servers.
The point is, ekrn.exe queries DNS server every 5 minutes, but doesn't establish connection to any address, which seems a lot like a bug.
This behavior is more apparent in my case, as i have DNS caching service disabled on my machine (caching done by server). I believe on most PCs with caching enabled these queries are obscured by more frequent, but less evident calls to DNS cache.
-
While idling i'm seeing unusual DNS requests without subsequent connection originating from ekrn.exe every 5 minutes. I activated the program and updates are coming through just fine, so there is no problem with connection to eset servers as far as I can tell.
It did start happening after activation process, which would make sense if there was a subsequent connection (validation checks etc), but i'm seeing no such thing in my firewall logs.
I usually disable LiveGrid and automatic update checks, but I also tested with every module in GUI disabled.
Is this intended behavior? (Win7 64bit, v. 9.0.381.1)
ESET 9 DNS Queries
in ESET NOD32 Antivirus
Posted · Edited by RobbK
Interestingly enough, enabling DNS cache service produces same behavior and there are no entries added to the cache, so no address is resolved. It seems ekrn.exe is simply probing DNS server every 5 minutes with a packet of the same size.
Could it be some crude way to determine connectivity of the machine? If so, i'm not particularly fond of it.