itman

As far as this software goes, it's a PUA: https://forums.malwarebytes.com/topic/240472-removal-instructions-for-wipersoft/

Normally, Telnet is disabled by default on the router. My router's log is full of such like external connection attempts. Also using a cracked Win OS version is "just asking for trouble." Are you also using a cracked Eset version?

Don't believe it's due to log entry volume, but you can look at your existing Eset scheduled log maintenance task and verifying that it is running probably. My best guess is the log file got corrupted somehow. Chalk it up to one of those "s*!t happens" Windows happenings.

Referring to the first two postings in this thread, browser ad and JavaScript blocking extensions and the like would not have prevented this activity. It appears something was installed manually. It could have be standalone software. If it was then the following were applicable: 1. The software was installed prior to Eset being installed. 2. Eset's PUA protection was/is not enabled. 3. Eset's PUA detection was ignored and the poster allowed the software installation. Another possibility is the poster either explicitly or inadvertently installed a browser extension that contains the javacript code being detected.

So is using Win 7 as far as I am concerned.

All Windows versions through Win 7 are affected. Also older Win Server OS versions.

Microsoft extended support for XP embedded versions just ended on 4/9/2019. I assume that was one factor. Also "in a blast from the past" when MS introduced Win 7, they offered a downgrade option from devices with Win 7 installed to XP for a limited time. This in effect extended XP support on those devices to the end-of-life date for Win 7; i.e. Jan., 2020. The requirement for this was: https://www.computerworld.com/article/2519032/microsoft-extends-windows-xp-downgrade-rights-until-2020.html So technically speaking, Win XP is still support abet in a limited scope.

It is very possible that a recent Win Server OS update is causing this issue. This seems reasonable to me since as you stated, the problem manifested recently and is affecting multiple servers. You really need to contact Microsoft about the IMAGE_STATE _UNDEPLOYABLE issue.

It probably detected this: https://helpdeskgeek.com/free-tools-review/why-you-shouldnt-download-ccleaner-for-windows-anymore/ As this article and others like it state, you shouldn't be using it in the first place.

Here's a Sophos posting where the OP was having SSL protocol scanning issues in an AD environment: https://community.sophos.com/products/unified-threat-management/f/web-protection-web-filtering-application-visibility-control/47035/certificate-warning-with-https-set-to-url-filtering-only#pi2353=1 . Since I am not knowledgeable when it comes to AD usage, what I gleaned from the postings was the issue had something to do with option to use AD certificates versus client certs. on Internet traffic. What is needed here is someone using EES in an AD environment to "chime in" here.

Refer to Eset's default firewall rules. Assuming you have made no modifications to those by changing default services settings, Eset's firewall doesn't monitor multicast DNS UDP traffic at all. That is; protocol is UDP, port is 5353, and IP address is 224.0.0.251. What it does monitor is local-link multicast UDP traffic; i.e. IP address 224.0.0.252. Additionally, Eset's Web Filtering protection only monitors port 80/443 traffic as far as I am aware of. Therefore as I see it, Eset cannot be the cause of any external network slowdown activity that's routing its traffic via multicast DNS connection. -EDIT- Another "tibit" in regards to mDNS UDP port 5353 traffic is that its used as a backup DNS mechanism if Windows has difficulties connecting using normal port 53 UDP DNS. Of course this implies that Microsoft can use it for its nefarious telemetry activities in Win 10. Again, the hourly activity element is a dead giveaway of Win 10 telemetry activities. I observed it also until I started using O&O Shutup 10 to block most of Win 10 telemetry.

Refer to this article for further information: https://support.eset.com/kb6268/ . I use a Public profile and hence, this Eset feature is not applicable. As such, I can't help you with any questions in regards to it. Also this feature is for scanning one's router connections. If you don't use a router, this feature is non-applicable.

Also as I again understand it on Win 10, an app with an expired cert. will be flagged by UAC: https://www.howtogeek.com/230063/how-to-circumvent-this-app-has-been-blocked-for-your-protection-to-install-apps-in-windows-10/

If its not countersigned, the cert. will show as expired as is my understanding.

I didn't realize the OP was referring to the cert. for the Eset Installer download. I don't have a downloaded copy of the current installer, but will show a screen shot of the Eset cert. use to sign ekrn.exe. As @Marcos posted, as long as the it shows that the cert. is valid on the download .exe, there is nothing to be concerned about:

Appears you are using Eset's Home/Work Network profile. Open Eset's GUI and click on Tools. Next, click on Connected Home Monitor. This will display all devices connected within your local network and their associated names, statuses, and IP addresses. This should allow you to identify what devices are associated with IP addresses 192.168.0.1 and 192.168.0.2.

Eset needs to connect to its servers during the installation procedure. My best guess to the network blocking activity was OpenVPN and/or possibly Tor.

Appears to be his Amazon TV Fire stick dongle attached to one of the TV's HDMI ports. It is used to stream broadcast downloads.

I will also add that Eset IDS has ARP poisoning/spoofing protection enabled by default. Perhaps your reference material is this: https://www.raymond.cc/blog/protect-your-computer-against-arp-poison-attack-netcut/ . To begin with, it's a two year old article referencing Eset Smart Security ver. 8. As far as a NetCut attack goes, the software has to installed within the local network. Assuming your PC is connected to a router if you disable Eset's "Allow response to ARP requests from outside the Trusted zone" IDS setting, Eset's Network Wizard will show "up the wazoo" blocked ARP requests originating from the router.

Unless there is some issue, all Intrusion Detection settings should be left at their default values.

I will additionally add that for Win 10, hourly outbound mDNS traffic is most certainly Win telemetry traffic. And it is hidden tunnel traffic, so it won't show up in conventional network traffic monitors. Again, all ekrn.exe is doing is filtering this traffic and is not the cause of the traffic.

The info for Eset's Middle East distributor is here: https://www.eset.com/me/about/contact/ . You can reinstall Eset using the license it was installed with on the same device as many times as you want. To install Eset using that license on another device, Eset must be uninstalled on the existing device using that license.

The IP address in the screenshots associated with ekrn.exe is 224.0.0.251. That is, multicast DNS. Cisco has a good article on mDNS here: https://learningnetwork.cisco.com/thread/90038 . It is used by Apple software; primarily by iTunes. It appears to me all Eset via ekrn.exe is filtering is network traffic using mDNS as it should. Your primary concern is why such a large volume of network traffic is using mDNS.

The only other thing I can think of is you have some malware on your PC that is preventing Eset from installing. You might want to create Eset SysRescue bootable media and run an off-line scan with it and see if it detects and removes any malware. Ref.: https://support.eset.com/kb3509/?locale=en_US&viewlocale=en_US

Did you do this? https://support.eset.com/kb2885/?locale=en_US&viewlocale=en_US