Jump to content

ESET Endpoint products blocking IP addresses used by Windows


bastitch

Recommended Posts

One of my sites has about 50 installed users. Yesterday a good 25% of those users started getting dozens of repeated popups about blocking access to an IP address that was originating from their System process, connecting to a remote IP that belongs to an anti DDoS CDN service. The Ip address in question is 69.172.201.153 that belongs to DOSarrest.com.

When I visit that IP in my browser I get a similar message, saying ESET has blocked a malicious website. 

Is this in error? I had a lot of frustrated users calling me yesterday, so much that I had to just send out a mass policy update to turn off web access protection temporarily.

 

 

2017-02-11 12_11_04-Alert! - ESET Endpoint Security.png

Link to comment
Share on other sites

  • Administrators

I don't think that it is a legit wpad proxy configuration file. Also Locky has been detected on that IP address and the reason for blocking it was Sundown exploit.

Check the automatic proxy server configuration in the IE setup and make sure the path to the config. file is not set to the above mentioned url.

Link to comment
Share on other sites

Thanks for the quick reply Marcos. 

I was so sure of the assumption that it was a false positive that I hadn't even to stopped to think about it being a real threat. I will re-enable the web access protection and check the proxy setup. Thanks!

Link to comment
Share on other sites

So I checked the proxy settings, and there is nothing configured there. However, when I re-enable Web access protection, and then access the internet in any way, ESET blocks a bunch of weird connections, all to that same IP, but with different urls. Such as hxxp://wpad.******.net/wpad.dat (where ****** is the local Windows domain name of the company). Also a bunch of random URLs with random characters and no TLD such as hxxp://ekickejd, and some are even showing hxxp://****1 (the name of the company's file server).

I've run full scans with ESET and malwarebytes, come back clean.

I know this is probably beyond the scope of the help you provide in these forums, but any info you could provide I would appreciate. 

Thanks!

Edited by bastitch
Remove potentially sensitive info
Link to comment
Share on other sites

So turns out their local domain, s****r.net, is also a real http domain, s****r.net, and the IP address of that domain is the blocked dosarrest IP from above. 

I still cannot find any malware or any malicious settings in any of the affected machines. 

Link to comment
Share on other sites

getting the same ip blocked on my pc

 

13/02/2017 19:04:02   hxxp://api.cdn.didlr.com/liveTileWin8.xml  Blocked by internal IP blacklist    C:\Windows\explorer.exe    Edd\edd    69.172.201.153    CAEF6938FF6ACA790E36770142374243AB726A76

Edited by Marcos
Log shortened
Link to comment
Share on other sites

  • Administrators
22 minutes ago, edd200sx said:

getting the same ip blocked on my pc

You shouldn't be getting this alert unless you are using an outdated engine version. The latest one is 14931.

Link to comment
Share on other sites

  • Administrators
19 minutes ago, Rafael Paiva said:

Hi, I have the exact same problems in all laptops at home. Please let me know as soon as you can find out any solutions.

Couldn't it be that it was happening a couple of hours ago but not now any more?

Link to comment
Share on other sites

I am not buying this idea that, because ESET fixed the so-called issue by updating signatures there is no problem. I have several systems continuing to try to make connections to this IP. I have had to block all traffic to this site until someone can better explain what is happening and would suggest anyone who has seen this to do the same. Marcos - would you please shed some light on this and what ESETs reasoning for allowing communication to continue to this IP and randomized URLs?

"ESET blocks a bunch of weird connections, all to that same IP, but with different urls. Such as hxxp://wpad.******.net/wpad.dat (where ****** is the local Windows domain name of the company). Also a bunch of random URLs with random characters and no TLD such as hxxp://ekickejd, and some are even showing hxxp://****1 (the name of the company's file server)'' ??

Additionally, why has it only been reported by few and not all of your customers? I first noticed this issue on the 10th and only when I connected and disconnected to my corporate VPN. I would assume all your customers would have reported this had it been a windows issue? I

 

Edited by dschwa
Link to comment
Share on other sites

Dschwa, that is strange that you are seeing Windows trying to connect to the same IP. What I had figured out was that the company's local domain, let's just say it is companyabc.net, was also the same as a web domain companyabc.net, that the company did not own. On the web companyabc.net was pointing to that IP address that was blocked by ESET. 

The problem happened once users took their PCs outside of the local network, and got online. The system was looking for their local domain companyabc.net, and in doing do calling out companyabc.net on the web. 

I'm not sure why it is doing that, I have not been able to pinpoint the cause.

What worries me is those randomly generated urls that are calling out from Windows. Did you have those as well?

Link to comment
Share on other sites

  • Administrators

The IP address belongs to DOSarrest Internet Security which is a legitimate security anti-DDoS service provider and thus blocking the IP address would not be appropriate.

Link to comment
Share on other sites

5 minutes ago, Marcos said:

The IP address belongs to DOSarrest Internet Security which is a legitimate security anti-DDoS service provider and thus blocking the IP address would not be appropriate.

Is it possible that legitimate Windows services are using DOSarrest to host their web apps that are being called to? 
I still haven't found a good reason for the randomly generated URLs that were coming from the System process and talking to that DOSarrest IP

Edited by bastitch
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...