persian-boy 22 Posted March 14, 2018 Share Posted March 14, 2018 (edited) Today I noticed an unusual network traffic for Egui! Any idea what is it? ocsp.comodoca.com!https://www.virustotal.com/#/url/e6674907a57c0e7216ade8897deb3726e600af5041a06341ab2a6a2a20774025/detectionhttps://isc.sans.edu/forums/diary/ocspcomodocacom+blacklisted+by+comodo+itself/13606/ Since 2 months ago all my applications(include windows services/process) resolve some strange IPs! comodoca is one of those domains! I flashed Bios also DBANed harddisk but nothing changed. I think this is about windows certificates! I can fix the problem by removing some certificates but cant browse web anymore. Edited March 14, 2018 by persian-boy Link to comment Share on other sites More sharing options...
itman 1,748 Posted March 14, 2018 Share Posted March 14, 2018 (edited) Try this. Open Eset firewall rules and disable the default rule for equi. As far as I am aware of, it is not used for anything. I say this because on multiple occasions, I have enable the rule only to note later that it was somehow mysteriously disabled again. This might be due to my customized IDS settings. However, I can't see how IDS would have any impact on equi traffic. -EDIT- I forgot to mention that when I did enable the default Eset firewall rule for equi, I received an alert that "an insecure firewall rule" had been created. If so, why does the default rule exist in the first place? Edited March 14, 2018 by itman Link to comment Share on other sites More sharing options...
persian-boy 22 Posted March 14, 2018 Author Share Posted March 14, 2018 (edited) Hi, I tried what you said and disabled the internet connection for Egui. But the question is why Egui contact a malicious domain? Eset don't you want to do some investigation?isn't important for you?AV processes are all protected and should only contact Eset domains or perhaps I'm wrong -.- What if smth hijacked the Egui? What I tried: Flashed bios, changed the windows iso! even installed the N version also wiped the hard disk and rested router! the problem is still there. These Connections are related to Symantec and Comodo. Symantec is malware by nature! same for Comodo.i would not trust anything that is signed by Symantec or Comodo. Edited March 14, 2018 by persian-boy Link to comment Share on other sites More sharing options...
Administrators Marcos 5,273 Posted March 14, 2018 Administrators Share Posted March 14, 2018 Malicious domain? Which one? I see that egui contacted ocsp.comodoca.com to check if the certificate used by a particular server has not been revoked. This could happen if ESET warns you about an untrusted certificate and you check certificate details from the warning window. Link to comment Share on other sites More sharing options...
persian-boy 22 Posted March 15, 2018 Author Share Posted March 15, 2018 Ok, thanks.But I didn't get any alert for untrusted certificates. Link to comment Share on other sites More sharing options...
Recommended Posts