itman 1,758 Posted April 15, 2019 Share Posted April 15, 2019 (edited) Note that the IP address is not on any shown in this list: https://support.eset.com/kb332/?locale=en_US&viewlocale=en_US Edited April 15, 2019 by itman Link to comment Share on other sites More sharing options...
Most Valued Members cyberhash 197 Posted April 15, 2019 Most Valued Members Share Posted April 15, 2019 German cloud host "Hetzner" , maybe used for updates or livegrid ? Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,171 Posted April 16, 2019 ESET Moderators Share Posted April 16, 2019 Hello guys, it does not necessary means that ekrn is connecting to it. On some systems ekrn is used as a proxy to be able to scan the traffic so it may be attributed to it than. So we would need to know the version of OS used, version of our product and ideally the packet capture,... Regards, P.R. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,298 Posted April 16, 2019 Administrators Share Posted April 16, 2019 46 minutes ago, Peter Randziak said: On some systems ekrn is used as a proxy to be able to scan the traffic so it may be attributed to it than. This is true for Windows XP and Windows Server 2003 which is not the case of itman. Link to comment Share on other sites More sharing options...
itman 1,758 Posted April 16, 2019 Author Share Posted April 16, 2019 (edited) 5 hours ago, Peter Randziak said: On some systems ekrn is used as a proxy to be able to scan the traffic so it may be attributed to it than. I believe this might be part explanation since I was blocking connections to that IP address at the time. Here's the issue. Connections to that IP address started showing up yesterday in ways that didn't look just right to me. BTW - I am running Win 10 x(64) Home 1809 fully patched. Well low and behold, today when I start IE11 and immediately browse to the Eset forum web site, the same IP addresses show again. The port 443 connection is OK since it shows Eset is performing SSL scanning on the packets. Perhaps this connection is related to Eset's web site Cloudfront usage? Edited April 16, 2019 by itman Link to comment Share on other sites More sharing options...
itman 1,758 Posted April 16, 2019 Author Share Posted April 16, 2019 (edited) Connections to 195.201.191.2 are definitely related to Eset forum web site. Appears to be related to some type of capcha processing it's using; perhaps in conjunction with Cloudfront. The IP address shown in the below screenshot also equates to German same cloud server but this time in Germany. As long as I only see 195.201.191.2 in use by Eset forum, I am not going to worry about it anymore. Newer and slightly different variation: Edited April 16, 2019 by itman Link to comment Share on other sites More sharing options...
Recommended Posts