Jump to content
Sign in to follow this  
itman

Suspicious Eset Forum Activity

Recommended Posts

This morning I received the following alerts for the first time ever. Note that both times these alerts were generated I was on the Eset forum web site using IE11. Note the IP address which is Akamai:

Eset_ICMP.thumb.png.d8607d61fabe1260e8f97fd9a6533255.png

The alert also stated that malicious traffic was being sent from my PC via ICMP. Looking at the Eset default firewall rules in regards to ICMP IPv4, the only outbound connections allowed are for echo and to 224.0.0.0/4, Trusted Zone, and local connections. There is nothing defined in Trusted Zone and I use the Public profile. The only suspect in local connection is localhost; 127.0.0.x. This leads to the next screen shot:

Eset_Proxy.thumb.png.2d61fb3591c862e879b5a9df29f9d120.png

Note the Eset proxy activity being sent to the same to the same Akamai IP address associated with the alerted ICMP activity.

Now what I have done is run ipconfig /flushdns to clear the local DNS cache which appears to have so far stopped the Eset ICMP alerts. But I really would like to know what is going on here. 

Edited by itman

Share this post


Link to post
Share on other sites

This detection is known to cause false positives since many applications send data in ICMP packets. If I remember correctly, Skype is one of them. The detection was planned to be removed from IDS completely in the future.

If you would like us to investigate the detection, enable advanced network protection logging, capture such communication, disable logging and provide me with ELC logs.

Share this post


Link to post
Share on other sites
2 minutes ago, Marcos said:

This detection is known to cause false positives since many applications send data in ICMP packets. If I remember correctly, Skype is one of them. The detection was planned to be removed from IDS completely in the future.

I don't use Skype. I will not worry about it for the time being unless it reappears in any frequency.

I am curious as to why Eset appears to be sending outbound traffic directly from its internal proxy?

Share this post


Link to post
Share on other sites

@Marcos, fairly certain I have identified the source of the alert. Alert time corresponds to startup of a scheduled task running sedlauncher.exe that was installed courtesy of KB4023057. This bugger is Microsoft's monitoring of Win10 1803 for suitability to upgrade to 1809.

When the alert appears is there a way to create an exception by process name? Never mind, found out how to do so.

Edited by itman

Share this post


Link to post
Share on other sites

Well, that didn't work. Only God knows what the heck Microsoft is doing to initiate the ICMP outbound connection. So I am just allowing that single IP address for the time being.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×