droezel 0 Posted October 8, 2018 Posted October 8, 2018 Since the last days our Palo Alto firewalls are detecting DNS traffic from ESET nameservers as "DNS Tunnel Data Infiltration Traffic". Traffic DNS udp over port 53... More info on this threat type: https://threatvault.paloaltonetworks.com/?query=18003 Does anyone have an idea about what's going on? And what will be broken now because probably some DNS queries aren't resolving...
droezel 0 Posted October 8, 2018 Author Posted October 8, 2018 More info about the IP's: https://www.robtex.com/ip-lookup/91.228.166.52 https://www.robtex.com/ip-lookup/38.90.226.11
Most Valued Members Nightowl 206 Posted October 8, 2018 Most Valued Members Posted October 8, 2018 (edited) You should report that to Palo Alto so they can check why they are blocking ESET update servers. Edited October 8, 2018 by Rami Spelling correction
Administrators Marcos 5,450 Posted October 8, 2018 Administrators Posted October 8, 2018 As suggested, contact Palo Alto Networks to resolve the false positive. Since it is their products that trigger the FP, we cannot influence the detection.
wim 0 Posted October 11, 2018 Posted October 11, 2018 PaloAlto is blocking this because you are using DNS to pass info through the network. I don't see any reason why ESET would use this covert channel to distribute or receive info to/from clients. We will keep this type of traffic blocked on our network until there is a clear explanation what kind of info is exchanged via DNS and why it is done this way. If we have clients on our network that have ESET installed and whose installation will not work anymore, we will send them to ESET support. Wim Holemans Network/Security Teamleader University of Antwerp
Administrators Marcos 5,450 Posted October 11, 2018 Administrators Posted October 11, 2018 DNS requests are used by Parental / Web Control and for license-related purposes. This is a perfectly legitimate use of DNS that is employed by plenty of vendors of legitimate software. If the "spyware" detection is not removed soon, we'll raise an official complaint.
bbahes 29 Posted October 11, 2018 Posted October 11, 2018 2 hours ago, wim said: PaloAlto is blocking this because you are using DNS to pass info through the network. I don't see any reason why ESET would use this covert channel to distribute or receive info to/from clients. We will keep this type of traffic blocked on our network until there is a clear explanation what kind of info is exchanged via DNS and why it is done this way. If we have clients on our network that have ESET installed and whose installation will not work anymore, we will send them to ESET support. Wim Holemans Network/Security Teamleader University of Antwerp Is this documented?
itman 1,801 Posted October 11, 2018 Posted October 11, 2018 I find it a bit "sanctimonious " that PaloAlto is complaining about this since they do likewise: https://www.paloaltonetworks.com/documentation/81/pan-os/web-interface-help/network/network-dns-proxy/dns-proxy-overview Perhaps Eset's DNS like activities is getting in the way of there's?
ESET Staff MichalJ 434 Posted October 12, 2018 ESET Staff Posted October 12, 2018 Just to update concerning the DNS usage: ESET services that are using DNS: Parental / WebControl, for the URL reputation Anti-theft (consumer only) concerning the config change status / updates EDF (licensing) concerning the config change status / updates Antispam (backup communication) for hashes / status AV Cloud (ESET Live Grid) - partial communication. It´s described within the following KB article: https://support.eset.com/kb332/?locale=en_US&viewlocale=en_US
bbahes 29 Posted October 12, 2018 Posted October 12, 2018 30 minutes ago, MichalJ said: Just to update concerning the DNS usage: ESET services that are using DNS: Parental / WebControl, for the URL reputation Anti-theft (consumer only) concerning the config change status / updates EDF (licensing) concerning the config change status / updates Antispam (backup communication) for hashes / status AV Cloud (ESET Live Grid) - partial communication. It´s described within the following KB article: https://support.eset.com/kb332/?locale=en_US&viewlocale=en_US Correct me if I'm wrong, but I don't see in KB article, statement that you use DNS for information exchange, only for DNS queries. For example, for ESET Live Grid you only say "These IP addresses need to be enabled for HTTP port 80. Also, an access to your local DNS server is required for DNS queries on UDP port 53." If port 53 or DNS protocol is used for something other than name resolution, that should be noted in that text. I don't see problem in information exchange as long it's transparent and highlighted clearly in documentation. That way we could avoid problems with 3rd party products.
itman 1,801 Posted October 12, 2018 Posted October 12, 2018 (edited) FYI - it is no great secret that AV vendors have used DNS tunneling for quite some time: Quote Elsewhere, the need for nearly continuous communication with their customers has seen some anti-virus (AV) vendors set up file hash identification routines via DNS. https://www.helpnetsecurity.com/2016/09/19/dns-data-transport/ Quote DNS tunneling is commonly used to circumvent security. This can be done for benign reasons like anti-virus updates done by endpoint software https://help.zscaler.com/zia/about-dns-tunnel-detection It appears to me that the network perimeter security appliance's manufacturers are trying to demonstrate their "new and improved" detection methods at the expense of the AV vendors to counter criticism of their past ineffectiveness against malicious DNS tunnel attacks. -EDIT- Also if one wants to look for nefarious tunneling activities, start looking closely at the manufacturer of the OS you are using, Microsoft. Edited October 12, 2018 by itman
bbahes 29 Posted October 12, 2018 Posted October 12, 2018 6 hours ago, itman said: FYI - it is no great secret that AV vendors have used DNS tunneling for quite some time: https://www.helpnetsecurity.com/2016/09/19/dns-data-transport/ https://help.zscaler.com/zia/about-dns-tunnel-detection It appears to me that the network perimeter security appliance's manufacturers are trying to demonstrate their "new and improved" detection methods at the expense of the AV vendors to counter criticism of their past ineffectiveness against malicious DNS tunnel attacks. -EDIT- Also if one wants to look for nefarious tunneling activities, start looking closely at the manufacturer of the OS you are using, Microsoft. Times change, as did ESET Endpoint change over time. For example, v5 did not have anti ransomware module, v6 (guessing) and v7 does. As for Microsoft remark, I would welcome any solution from security vendors, like ESET, that would warn about this activity from Microsoft or any other software vendor and possibly block it on user demand.
Recommended Posts