ESET Phones home frequently -updates OFF -no active web connection. Why?

[NoOne 0]

So to begin with I am not talking about Auto Update or Live Grid or Parental Control or any other "cloud" connected service that needs to check the most current information online with each page loaded; that I do not use/have turned off on for any particular machine.

I would like proper documentation on when EKRN.exe  "needs" to connect to online services; as I have not been able to find any information saying WHY it is doing what it is doing, especially being that it needs to send encrypted information that is not told to the user via documentation or even verified 3rd party man-in-the-middle tests verifying what data it is sending/doing. For all I know it is a key/browser logger as any other malicious program that does not ask first to be allowed. The quandary is even greater considering the update process is documented and has options that are obeyed.

I have logged this program from both on O/S programs and by my gateway watching the traffic connecting a MINIMUM 5 times per hour (mainly to 137.135.12.16) when it is not expected to from every one of my families computers that I migrated so far; even if I turn off every single feature of the product but leave it on. And if multiple days go by either due to a rarely used computer being offline or any other reason it can't phone home it will go in to a crazy mode of making the attempt EVERY 5 SECONDS Non-Stop until that machine can phone home which of course can just be spamming a local network with unwanted traffic (example: if that particular part of a network is in a secure no-internet mode normally). And causing issues/slow downs on say a low powered laptop that rarely gets online but needs to be working at a drop of the hat or a computer that runs only locally as a media player and has A/V just to check external memory devices getting accessed. It has even caused firewalls on other devices to block the spammers' traffic and cause loss of connection to that device.

Now as far as I have found from rare notices by other users that did not like some of the operational changes to the program in the latest couple versions. Outside of certain online features as previously mentioned it is mainly just for "license" checks. Now if that is all it is supposed to be doing after not using any Live stuff or device theft that is not even available anyway on a windows machine It raises the question of what the company thinks of its users/does not care to make things in a moral proper way.

Either 1. It is a bad piece of programming on what should trigger a license check. No other "security" program I have used ever needed more than once per day check. And would never go  the next level until 30 days have past. And that is at the worst. Most would only check a month at a time.

2. It is being used to send personal meta data without proper notification or way to turn off. Like tracking laptops around known public hot-spots to sell to marketers. (This could appear very real considering the program even has an Advertisement type switch that is not even fully defaulted to off after install nor is it fully documented as why it is there)

3. It gives the feeling if that much checking is needed that the company treats ALL PAYING customers pirates first and foremost that would steal at the first chance they can. Even if almost all people would not know how anyway. This would be worrisome that someone high up has a mental problem with trust or is infected with major greed where every decimal of a profit counts no matter how it affects long term customer trust. Causing that person to think people would pirate their product for even 15 minutes at random; Let alone go to the trouble just to use for a single day free.

 

So what needs to be turned off to stop this happening more than once per 24 hours and why might so much traffic be needed that otherwise could be run from the normal locally available updated virus/security databases?

 

What new release is going to see a fix to it's likeliness to spam connection attempts when it does not get what it wants?

 

When is this process going to be documented and given a switch to control its connections (like updating only connects when asked, if set that way)?

 

Thanks for even reading. I do not expect much help in this day, age and penchant for always connected "cloud" junk everywhere. But still hold out hope for some morality in business.

[Marcos 5,070]

137.135.12.16 is the IP address of the EDF server according to http://support.eset.com/kb332/. Please generate a Wireshark log so that at least two subsequent connection attempts are captured. When done, upload it to a safe location and pm me a download link. Also include the output from ESET Log Collector (see my signature for instructions).