NoOne

OK to be more specific. - I would prefer to be able to change the profile currently in use on the adapter in use at the time - but that would be much more difficult to add I expect. - BUT what should be possible is to have an option that just changes the global default profile on the fly for adapters set to just use the global default. - It would work just the same as going to Settings > Network Protection > Firewall > Firewall Profiles > Global default profile > "Choose what I currently want active". This currently operates as needed without needing to restart or anything; and it also can be changed every few minutes if I wanted; but many more steps than could be. - By using multiple profiles on the "Same Adapter" a user can drill down what they want allowed to happen depending on what they are doing on their computer at the time. I find it very helpful for 1 example of when processing some coding script I do not want interrupted ; I can block all or just selected programs from trying to auto-update as I have different rules depending on the profile selected (and we all know by now how thanks to MS leading the way every company now likes to force updates when they feel like it without giving any option or care about what the user and owner of a computer wants unless they have the money/resources to buy/use enterprise products - example ESET home products with how they like to auto update even when NOT scheduled - and bypass their own firewall rules that should block eset update exe's if wanting to be controlled by the user). Other examples are times I may switch even if just a couple minutes when testing something (this can be a pain due to how many steps it takes - so I may get spammed by unnecessary allow/deny requests and then can't save configuration change alerts due to the backlog until exiting settings, taking care of the prompts and going back in - when a 3 second right click change could happen fast enough to beat the unnecessary requests).

Wondering if I am just missing something or would like to place a idea for future version update. Would like to be able to more easily / quickly switch the Firewall Profile currently active. Good place I thought would be the right click menu from the taskbar icon. Could be a pop-up list and select which you want active of all the ones that have been created. Happy Holidays

Like itman said there has always been public lists. Something that is a + over most others now a days. And why this OP happened is because maybe something was off. Finding the reg entries is just nice to narrow things down more specifically etc. If a reason.... I found them under one of the folders under here -> HKEY_LOCAL_MACHINE\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\

As for the main issue discussion. The pass through of that odd IP backbone stopped happening about the end of last week and started once again going to the normal ESET servers. As part of the other issue I also found a rather nice place in the registry to see the server names and associated IP's that the particular version of the ESET product installed on each machine actually uses so I could more precisely program them in to the firewall and where I can go to look if something ever changes to confirm. Thanks for the help everyone and hopefully it leads to some knowledge gains to further limit future issues.

This part is slightly concerning as it wreaks of following the big monopolies like Microsoft that have decided a persons computer is NOT theirs to control and the programs we pay for are also more important than the owners life instead of acting like invited guests that MUST honestly advertise what they do and do it as the user requests when the option is available; not having an option that makes you think it does something but ignores you and does things behind your back. This basically says that ESET considers themselves to be superior to every user including those that may actually have more knowledge of their own personal business or even have experience/training in computers that surpasses them and want to act like big brother, do as we say. it if for your own good; aka jump of a cliff if we tell you. Anyway found the hidden timer based entry that over-rides and triggers the forced auto update and when I get time will be working on a boot-up script to reset it so it only runs when it is requested and considered safe and ready to update by the owner/administrators/me that can determine their own risk factor of how up to date they need to be. We are not talking a business being an open target that someone could get a bunch of money out of; just home users. At least once this auto update gets overridden I can stop blocking the connections on certain computers at a higher level and having an extra step to do when I do want to do an update.

So had a little bit of time to try a couple PC's again. Still going out to same spot and tried dumping all possible DNS caches and pulling from my tertiary DNS provider. What happens is EKRN.exe will check for updates and download - then start processing the updates as normal with IP's in the KB that are already allowed (mainly UM07.eset.com). And then once the progress bar finishes it will attempt the contact to the odd IP and will then say the update failed if it cannot contact (even though I was able to see the files updated via file activity monitor). When I let one PC's EKRN contact this server with extra logging enabled it sent 607 Bytes outgoing. And then by checking timing between logs was apparently attempting to download "repository.eset.com/v1/com/eset/apps/home/security/windows/metadata3.default" Once I let it run this last check it would finish and say completed update in a split second. I manually downloaded this file in my browser and went to same IP but got the file and does not look like anything surprising. Does seem to be some distribution network interfering with a connection to the official IP; something I personally do not like happening. Once this apparently freak redirect stops. Still leaves the extra question of why the program tries to auto update when it is not supposed to (all schedules etc deleted/disabled) And then of course if it can not update when not asked to then throws error warnings that can annoy or scare some non-tech family members. Thanks guys/gals

I have checked and have not found this IP 72.21.81.200 listed in the usual ports and addresses lists that ESET products use. Please update lists and reply what this IP is being used for. Can not update products as they will fail even though it is still contacting the usual other/previous addresses just fine. Sort of a downer to see the only things reported about this IP right now on google being an IP used for basic abuses. Thanks. On a side note why does ESET try updating automatically after 7 days when I have automatic schedules set to disabled/off. A product should do what I TELL IT TO DO even if I decide to let the database get better testing before applying. I should not have to block the update mechanism via better firewalls to stop it doing things itself when I said NO.

So to begin with I am not talking about Auto Update or Live Grid or Parental Control or any other "cloud" connected service that needs to check the most current information online with each page loaded; that I do not use/have turned off on for any particular machine. I would like proper documentation on when EKRN.exe "needs" to connect to online services; as I have not been able to find any information saying WHY it is doing what it is doing, especially being that it needs to send encrypted information that is not told to the user via documentation or even verified 3rd party man-in-the-middle tests verifying what data it is sending/doing. For all I know it is a key/browser logger as any other malicious program that does not ask first to be allowed. The quandary is even greater considering the update process is documented and has options that are obeyed. I have logged this program from both on O/S programs and by my gateway watching the traffic connecting a MINIMUM 5 times per hour (mainly to 137.135.12.16) when it is not expected to from every one of my families computers that I migrated so far; even if I turn off every single feature of the product but leave it on. And if multiple days go by either due to a rarely used computer being offline or any other reason it can't phone home it will go in to a crazy mode of making the attempt EVERY 5 SECONDS Non-Stop until that machine can phone home which of course can just be spamming a local network with unwanted traffic (example: if that particular part of a network is in a secure no-internet mode normally). And causing issues/slow downs on say a low powered laptop that rarely gets online but needs to be working at a drop of the hat or a computer that runs only locally as a media player and has A/V just to check external memory devices getting accessed. It has even caused firewalls on other devices to block the spammers' traffic and cause loss of connection to that device. Now as far as I have found from rare notices by other users that did not like some of the operational changes to the program in the latest couple versions. Outside of certain online features as previously mentioned it is mainly just for "license" checks. Now if that is all it is supposed to be doing after not using any Live stuff or device theft that is not even available anyway on a windows machine It raises the question of what the company thinks of its users/does not care to make things in a moral proper way. Either 1. It is a bad piece of programming on what should trigger a license check. No other "security" program I have used ever needed more than once per day check. And would never go the next level until 30 days have past. And that is at the worst. Most would only check a month at a time. 2. It is being used to send personal meta data without proper notification or way to turn off. Like tracking laptops around known public hot-spots to sell to marketers. (This could appear very real considering the program even has an Advertisement type switch that is not even fully defaulted to off after install nor is it fully documented as why it is there) 3. It gives the feeling if that much checking is needed that the company treats ALL PAYING customers pirates first and foremost that would steal at the first chance they can. Even if almost all people would not know how anyway. This would be worrisome that someone high up has a mental problem with trust or is infected with major greed where every decimal of a profit counts no matter how it affects long term customer trust. Causing that person to think people would pirate their product for even 15 minutes at random; Let alone go to the trouble just to use for a single day free. So what needs to be turned off to stop this happening more than once per 24 hours and why might so much traffic be needed that otherwise could be run from the normal locally available updated virus/security databases? What new release is going to see a fix to it's likeliness to spam connection attempts when it does not get what it wants? When is this process going to be documented and given a switch to control its connections (like updating only connects when asked, if set that way)? Thanks for even reading. I do not expect much help in this day, age and penchant for always connected "cloud" junk everywhere. But still hold out hope for some morality in business.