EKRN.exe - Hourly Network Spam

[Elerias 0]

Since the last Update of ESET Internet Security (12.1.34.0) I encounter serious issues with "eknr.exe". First I thought something is wrong with my internet connection but now I´m quite sure that the Security program is causing the problems described here: Exactly one hour after the PC and the programm started, the process eknr.exe is spamming my network with data for arround 2-3 minutes, blocking bandwith with up to 10MBit usage. The result is a lagspike that is really annoying in Online Games like World of Warcraft. The issue is repeated EVERY new hour again the whole day and night, presumably an automatic process that is timed hourly. This high bandwith usage can only be a bug. Otherwise please tell me how I can deactivate it. I´ve made a screenshot from the ressource monitor to illustrate this and also an ESET-Log* from the corrsponding time. Thank you in advance... (*Please tell me if you want to see it. I didn`t post it here because of privacy thoughts)

[galaxy 11]

Unfortunately I had this behavior as well and had to uninstall eset

[Marcos 5,070]

Please install Wireshark and start logging network communication when you notice high network traffic by ekrn.exe. Also create a complete application dump of ekrn via the advanced setup -> tools -> diagnostics - Create (dump). Beforehand make sure that you have full application dumps enabled. After changing the setting confirm it by clicking OK.

Leave Wireshark logging the network communication for a few minutes while ekrn is communicating. After saving the log, compress it together with the dump, upload the archive to a safe location and drop me a message with a download link.

[itman 1,659]

The IP address in the screenshots associated with ekrn.exe is 224.0.0.251. That is, multicast DNS. Cisco has a good article on mDNS here: https://learningnetwork.cisco.com/thread/90038 . It is used by Apple software; primarily by iTunes.

It appears to me all Eset via ekrn.exe is filtering is network traffic using mDNS as it should. Your primary concern is why such a large volume of network traffic is using mDNS. 

Edited May 17, 2019 by itman

[itman 1,659]

I will additionally add that for Win 10, hourly outbound mDNS traffic is most certainly Win telemetry traffic. And it is hidden tunnel traffic, so it won't show up in conventional network traffic monitors.

Again, all ekrn.exe is doing is filtering this traffic and is not the cause of the traffic.

Edited May 17, 2019 by itman

[Elerias 0]

Thank you for the interesting information itman. But even IF it´s true that eknr.exe is not the bad guy in this case it is still a big bunch of garbage for me that annoys me since 3 weeks and I´m really desperate to find a solution. I´ve just made a wireshark-log and an eknr-dump as described and I hope that you can help me here to solve this. The adress today was again 224.0.0.251, up to excessive 10Mbit bandwith usage for 3mins (every hour). By the way - this is the maximum my internet connection can shoulder. Without doing anything at the pc it`s normally pending arround 10KB/s and also with using the webbrowser and playing online it reaches NEVER these values (<1MBit). So I would be very thankful to find a way to block this stupid process completely. 

I dont`t use any programs from APPLE and never did. If I have something from this company on my PC it was not by purpose. Nevertheless - like many - I´m using Windows 10. I hope it´s still possible to see in the logs what I can do to get rid of this. Cannot believe that this is a "normal" thing. For this it´s too far-reaching and destructiv.

@Marcos: I will send you the Download-Link from Amazon Drive. It´s my first time using this. Hope it will work.

[Marcos 5,070]

Most of the packets and communications are MDNS, there was basically no communication through other protocols:

MDNS is allegedly not natively supported by Windows and you need a 3rd party application like Bonjour to support it, however, it was not among installed or running applications (could be a different one).

What device is 192.168.0.212? There are many repetitive MDNS queries for "amazon-399dfd5f2.local", what is that?

206    0.058018    2019-05-18 02:35:52,484647    192.168.0.13    192.168.0.212    MDNS    82    Standard query 0xfa0b A amazon-399dfd5f2.local, "QM" question   

Maybe related to this?

 

[itman 1,659]

4 hours ago, Marcos said:

What device is 192.168.0.212? There are many repetitive MDNS queries for "amazon-399dfd5f2.local", what is that?

Appears to be his Amazon TV Fire stick dongle attached to one of the TV's HDMI ports. It is used to stream broadcast downloads.

[Elerias 0]

That's right. 192.168.0.212 is my personal Fire TV stick. 192.168.0.38 is a second Amazon device but not actively in use since a while. I didn't install any new apps to it and I couldn't remember that I initiated any large downloads per hour. Both are in sleep mode most of the day when the PC is running.

I might be wrong but if i see it right the hourly loop starts first with the pc booting in Windows. When I start a speed test in these first 5 minutes it's really bad. I haven't noticed this behaviour in the past. 

Is there a way to stop this periodical high data-tranfer without cutting the device(s) from the network completely? And what I ask myself - why should my Security Software filter data  received/sent out by the Amazon Device? The PC is connected by LAN though a powerline-bridge with no WLAN connectivity. I'm not an expert but it seems weird that there is direct communication.

Anyway - thanks for the given hints till now. Gives me new hope to find a solution.

Edit: 192.168.0.38 is a Fire TV Box, not a WLAN stick like the other one. The Box is connected to the router via LAN. Latest firmware, no special apps installed. 

Edited May 18, 2019 by Elerias

[Marcos 5,070]

We'll need a log from time when the communication occurs. The log you've provided basically doesn't show any other than MDNS communication generated by the TV stick. I'd suggest disconnecting it while generating the logs so that only relevant packets are recorded.

[itman 1,659]

Refer to Eset's default firewall rules. 

Assuming you have made no modifications to those by changing default services settings, Eset's firewall doesn't monitor multicast DNS UDP traffic at all. That is; protocol is UDP, port is 5353, and IP address is 224.0.0.251. What it does monitor is local-link multicast UDP traffic; i.e. IP address 224.0.0.252.

Additionally, Eset's Web Filtering protection only monitors port 80/443 traffic as far as I am aware of.

Therefore as I see it, Eset cannot be the cause of any external network slowdown activity that's routing its traffic via multicast DNS connection.

-EDIT- Another "tibit" in regards to mDNS UDP port 5353 traffic is that its used as a backup DNS mechanism if Windows has difficulties connecting using normal port 53 UDP DNS. Of course this implies that Microsoft can use it for its nefarious telemetry activities in Win 10. Again, the hourly activity element is a dead giveaway of Win 10 telemetry activities. I observed it also until I started using O&O Shutup 10 to block most of Win 10 telemetry.

Edited May 18, 2019 by itman

[Elerias 0]

Sorry for not answering a while. I was very busy and couldn't do any more tests. What I can say now is: There are no more Lagspikes without the Amazon Devices connected. Maybe something is buggy with their actual firmware that causes this hightraffic-behaviour. I don't remeber when they updated last time. Temporal solution for me is to cut them off from power when I'm not watching TV. Besides of this I'm using a better router with higher speed that lowers the problem to a bearable degree. I've also installed O&O 10 what is really a great tool. Thank you for this advice. Not to forget to thank Marcos for checking my logs.