bastitch

Have you heard anything back about this?

Is it possible that legitimate Windows services are using DOSarrest to host their web apps that are being called to? I still haven't found a good reason for the randomly generated URLs that were coming from the System process and talking to that DOSarrest IP

Dschwa, that is strange that you are seeing Windows trying to connect to the same IP. What I had figured out was that the company's local domain, let's just say it is companyabc.net, was also the same as a web domain companyabc.net, that the company did not own. On the web companyabc.net was pointing to that IP address that was blocked by ESET. The problem happened once users took their PCs outside of the local network, and got online. The system was looking for their local domain companyabc.net, and in doing do calling out companyabc.net on the web. I'm not sure why it is doing that, I have not been able to pinpoint the cause. What worries me is those randomly generated urls that are calling out from Windows. Did you have those as well?

I sent the log files via PM. Thanks!

So turns out their local domain, s****r.net, is also a real http domain, s****r.net, and the IP address of that domain is the blocked dosarrest IP from above. I still cannot find any malware or any malicious settings in any of the affected machines.

So I checked the proxy settings, and there is nothing configured there. However, when I re-enable Web access protection, and then access the internet in any way, ESET blocks a bunch of weird connections, all to that same IP, but with different urls. Such as hxxp://wpad.******.net/wpad.dat (where ****** is the local Windows domain name of the company). Also a bunch of random URLs with random characters and no TLD such as hxxp://ekickejd, and some are even showing hxxp://****1 (the name of the company's file server). I've run full scans with ESET and malwarebytes, come back clean. I know this is probably beyond the scope of the help you provide in these forums, but any info you could provide I would appreciate. Thanks!

Thanks for the quick reply Marcos. I was so sure of the assumption that it was a false positive that I hadn't even to stopped to think about it being a real threat. I will re-enable the web access protection and check the proxy setup. Thanks!

One of my sites has about 50 installed users. Yesterday a good 25% of those users started getting dozens of repeated popups about blocking access to an IP address that was originating from their System process, connecting to a remote IP that belongs to an anti DDoS CDN service. The Ip address in question is 69.172.201.153 that belongs to DOSarrest.com. When I visit that IP in my browser I get a similar message, saying ESET has blocked a malicious website. Is this in error? I had a lot of frustrated users calling me yesterday, so much that I had to just send out a mass policy update to turn off web access protection temporarily.