Jump to content

Sharman

Members
  • Posts

    2
  • Joined

  • Last visited

About Sharman

  • Rank
    Newbie
    Newbie

Profile Information

  • Location
    South Africa
  1. Thanks for the response @Marcos, I will white list these IP addresses. @peteyt, the "blocked as unsafe" message is from the app I am evaluating "Blackfog". The IP range has been marked as suspicious because of some of the settings (Geo-fencing) within the application. I'm just trying to be as thorough as possible. I asked that question to Blackfog support - they sent me the links below: - These are the weird IP's that ekm.exe tries to connect to. They are Eset servers, but why do AV's mark them "malicious" ? 91.228.166.xx ( various last digits) https://hybrid-analysis.com/sample/eb4a7cffa9db131de89e1d4ad60ee5802bae41c0022a138413c2dd63d31a0654?environmentId=120 38.90.226.13 ( various last digits) https://hybrid-analysis.com/sample/eb4a7cffa9db131de89e1d4ad60ee5802bae41c0022a138413c2dd63d31a0654?environmentId=120
  2. Hi I am currently investigating / evaluating a product for a new client of mine. We are currently managing and checking all outgoing connections from all types of software running on their network. I want to know what the ekrn.exe process is doing when it connects to the following IP addresses. One of the machines on the network is connecting to the following IP addresses on a daily basis. Eset IP Address investigation: - Unsafe connection to 91.228.167.87 (91.228.167.87). Blocking. Process -> ekrn.exe Port -> 80 PID -> 2392 Unsafe connection to 91.228.167.137 (91.228.167.137). Blocking. Process -> ekrn.exe Port -> 80 PID -> 2392 Unsafe connection to 91.228.167.103 (91.228.167.103). Blocking. Process -> ekrn.exe Port -> 80 PID -> 2392 Unsafe connection to 91.228.167.43 (91.228.167.43). Blocking. Process -> ekrn.exe Port -> 80 PID -> 2392 Unsafe connection to 91.228.166.45 (91.228.166.45). Blocking. Process -> ekrn.exe Port -> 80 PID -> 2392 Unsafe connection to 91.228.165.44 (91.228.165.44). Blocking. Process -> ekrn.exe Port -> 80 PID -> 2392 Unsafe connection to 91.228.166.52 (91.228.166.52). Blocking. Process -> ekrn.exe Port -> 80 PID -> 2392 Unsafe connection to 91.228.167.46 (91.228.167.46). Blocking. Process -> ekrn.exe Port -> 80 PID -> 2392 Unsafe connection to 38.90.226.12 (38.90.226.12). Blocking. Process -> ekrn.exe Port -> 80 PID -> 2392 Unsafe connection to 38.90.226.13 (38.90.226.13). Blocking. Process -> ekrn.exe Port -> 80 PID -> 2332 Unsafe connection to 38.90.226.11 (38.90.226.11). Blocking. Process -> ekrn.exe Port -> 80 PID -> 2332 Unsafe connection to 91.228.167.86 (91.228.167.86). Blocking. Process -> ekrn.exe Port -> 80 PID -> 2332 I understand that the ekrn.exe is a component of ESET Smart Security, I want to understand what it is actually doing when it connects to these IP addresses - what informatin is being send or received? The genuine ekrn.exe file is a software component of ESET Smart Security by ESET. ESET Smart Security is an Internet Security Suite that protects computers against malicious programs. Ekrn.exe runs a core kernel driver associated with the ESET Smart Security. Thanks Sharman
×
×
  • Create New...