Jump to content

Suspicious Eset Forum Activity


itman
 Share

Recommended Posts

This morning I received the following alerts for the first time ever. Note that both times these alerts were generated I was on the Eset forum web site using IE11. Note the IP address which is Akamai:

Eset_ICMP.thumb.png.d8607d61fabe1260e8f97fd9a6533255.png

The alert also stated that malicious traffic was being sent from my PC via ICMP. Looking at the Eset default firewall rules in regards to ICMP IPv4, the only outbound connections allowed are for echo and to 224.0.0.0/4, Trusted Zone, and local connections. There is nothing defined in Trusted Zone and I use the Public profile. The only suspect in local connection is localhost; 127.0.0.x. This leads to the next screen shot:

Eset_Proxy.thumb.png.2d61fb3591c862e879b5a9df29f9d120.png

Note the Eset proxy activity being sent to the same to the same Akamai IP address associated with the alerted ICMP activity.

Now what I have done is run ipconfig /flushdns to clear the local DNS cache which appears to have so far stopped the Eset ICMP alerts. But I really would like to know what is going on here. 

Edited by itman
Link to comment
Share on other sites

  • Administrators

This detection is known to cause false positives since many applications send data in ICMP packets. If I remember correctly, Skype is one of them. The detection was planned to be removed from IDS completely in the future.

If you would like us to investigate the detection, enable advanced network protection logging, capture such communication, disable logging and provide me with ELC logs.

Link to comment
Share on other sites

2 minutes ago, Marcos said:

This detection is known to cause false positives since many applications send data in ICMP packets. If I remember correctly, Skype is one of them. The detection was planned to be removed from IDS completely in the future.

I don't use Skype. I will not worry about it for the time being unless it reappears in any frequency.

I am curious as to why Eset appears to be sending outbound traffic directly from its internal proxy?

Link to comment
Share on other sites

@Marcos, fairly certain I have identified the source of the alert. Alert time corresponds to startup of a scheduled task running sedlauncher.exe that was installed courtesy of KB4023057. This bugger is Microsoft's monitoring of Win10 1803 for suitability to upgrade to 1809.

When the alert appears is there a way to create an exception by process name? Never mind, found out how to do so.

Edited by itman
Link to comment
Share on other sites

Well, that didn't work. Only God knows what the heck Microsoft is doing to initiate the ICMP outbound connection. So I am just allowing that single IP address for the time being.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...