itman 1,755 Posted December 1, 2018 Share Posted December 1, 2018 (edited) This morning I received the following alerts for the first time ever. Note that both times these alerts were generated I was on the Eset forum web site using IE11. Note the IP address which is Akamai: The alert also stated that malicious traffic was being sent from my PC via ICMP. Looking at the Eset default firewall rules in regards to ICMP IPv4, the only outbound connections allowed are for echo and to 224.0.0.0/4, Trusted Zone, and local connections. There is nothing defined in Trusted Zone and I use the Public profile. The only suspect in local connection is localhost; 127.0.0.x. This leads to the next screen shot: Note the Eset proxy activity being sent to the same to the same Akamai IP address associated with the alerted ICMP activity. Now what I have done is run ipconfig /flushdns to clear the local DNS cache which appears to have so far stopped the Eset ICMP alerts. But I really would like to know what is going on here. Edited December 1, 2018 by itman Link to comment Share on other sites More sharing options...
Administrators Marcos 5,288 Posted December 1, 2018 Administrators Share Posted December 1, 2018 This detection is known to cause false positives since many applications send data in ICMP packets. If I remember correctly, Skype is one of them. The detection was planned to be removed from IDS completely in the future. If you would like us to investigate the detection, enable advanced network protection logging, capture such communication, disable logging and provide me with ELC logs. Link to comment Share on other sites More sharing options...
itman 1,755 Posted December 1, 2018 Author Share Posted December 1, 2018 2 minutes ago, Marcos said: This detection is known to cause false positives since many applications send data in ICMP packets. If I remember correctly, Skype is one of them. The detection was planned to be removed from IDS completely in the future. I don't use Skype. I will not worry about it for the time being unless it reappears in any frequency. I am curious as to why Eset appears to be sending outbound traffic directly from its internal proxy? Link to comment Share on other sites More sharing options...
itman 1,755 Posted December 2, 2018 Author Share Posted December 2, 2018 (edited) @Marcos, fairly certain I have identified the source of the alert. Alert time corresponds to startup of a scheduled task running sedlauncher.exe that was installed courtesy of KB4023057. This bugger is Microsoft's monitoring of Win10 1803 for suitability to upgrade to 1809. When the alert appears is there a way to create an exception by process name? Never mind, found out how to do so. Edited December 2, 2018 by itman Link to comment Share on other sites More sharing options...
itman 1,755 Posted December 2, 2018 Author Share Posted December 2, 2018 Well, that didn't work. Only God knows what the heck Microsoft is doing to initiate the ICMP outbound connection. So I am just allowing that single IP address for the time being. Link to comment Share on other sites More sharing options...
Recommended Posts