Fatih 0 Posted October 10, 2019 Share Posted October 10, 2019 Since a couple of months ago ESET is sending large amounts of data. In the last two hurs for example, it sent 238 MB and received 17MB. ESET telephone support represemtative sugeested the LŞveGrid was sending suspicious files to ESET but there was not much of a suspicious activity in the logs in this past two hours. Any ideas what is going on and what to do about it, before I go bankrupt with the service provider bills? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,071 Posted October 10, 2019 Administrators Share Posted October 10, 2019 Please collect logs with ESET Log Collector and upload the generated archive here. Only ESET staff can access attachments. Do you compile a lot of new binaries on a regular basis on the machine? Link to comment Share on other sites More sharing options...
Fatih 0 Posted October 10, 2019 Author Share Posted October 10, 2019 Thank you Marcos, No, I don't do any compilations on this machine. Log is atteis_logs.zipached. Link to comment Share on other sites More sharing options...
Fatih 0 Posted October 11, 2019 Author Share Posted October 11, 2019 Hi Marcos, Any results from examining the logs? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,071 Posted October 11, 2019 Administrators Share Posted October 11, 2019 You have the ESET LiveGrid Feedback system disabled according to the configuration. Have you disabled it just recently? We didn't find any sample submitted from your ESET. Do you use ESET's antispam in MS Outlook? Link to comment Share on other sites More sharing options...
Fatih 0 Posted October 11, 2019 Author Share Posted October 11, 2019 I disabled it recently to see whether it reduces the outbound traffic; didn't have any effect. Both an external network monitor and ESET network connections tool show that ESET keeps sending information, somehow at a reduced rate: in the last 1 hour it sent 40MB, received 30 (apparently a module update). Recent normal is 100+MB/hour I don't use outlook. Link to comment Share on other sites More sharing options...
Fatih 0 Posted October 11, 2019 Author Share Posted October 11, 2019 ESET is behaving strangely in other ways.. Recently i tried to temporarily disable it, i got a message saying it is dangerous because of a recent threat, but there was no such threat in the logs. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,071 Posted October 11, 2019 Administrators Share Posted October 11, 2019 12 minutes ago, Fatih said: I disabled it recently to see whether it reduces the outbound traffic; didn't have any effect. Both an external network monitor and ESET network connections tool show that ESET keeps sending information, somehow at a reduced rate: in the last 1 hour it sent 40MB, received 30 (apparently a module update). Recent normal is 100+MB/hour I don't use outlook. There are a few files in the charon folder which are about 9 MB in total. Not all files are necessarily submitted. After disabling the LG Feedback system, no new files should appear in that folder. Could you please send me the content of the C:\ProgramData\ESET\ESET Security\Charon folder and monitor its content for a while to confirm that no new files are created there? Link to comment Share on other sites More sharing options...
Fatih 0 Posted October 11, 2019 Author Share Posted October 11, 2019 I don't see that folder. This si what i see: Link to comment Share on other sites More sharing options...
Fatih 0 Posted October 11, 2019 Author Share Posted October 11, 2019 By the way, ESET trafic in two hours: 100MB sent, 60 MB received Link to comment Share on other sites More sharing options...
Hpoonis 7 Posted October 11, 2019 Share Posted October 11, 2019 3 minutes ago, Fatih said: I don't see that folder. This si what i see: 'ProgramData' not 'Program Files' Link to comment Share on other sites More sharing options...
Fatih 0 Posted October 11, 2019 Author Share Posted October 11, 2019 A hidden folder in Windows 8.1. Here it is: Link to comment Share on other sites More sharing options...
Fatih 0 Posted October 11, 2019 Author Share Posted October 11, 2019 There are no new files in Charon since I disabled LG feedback. Anyways, the amount of data put in Charon is nothing near what is being sent out by ESET. I UNDERSTAND WE HAVE A BIG PROBLEM IN OUR HANDS!!!! Link to comment Share on other sites More sharing options...
Administrators Marcos 5,071 Posted October 11, 2019 Administrators Share Posted October 11, 2019 16 minutes ago, Fatih said: There are no new files in Charon since I disabled LG feedback. Anyways, the amount of data put in Charon is nothing near what is being sent out by ESET. I UNDERSTAND WE HAVE A BIG PROBLEM IN OUR HANDS!!!! What do you mean? You have disabled ESET LiveGrid Feedback system, no new files are created in the charon folder (verify it with Procmon) and yet you claim that ESET is sending out files? Where do you see that ESET is sending out a lot of data? Link to comment Share on other sites More sharing options...
Fatih 0 Posted October 11, 2019 Author Share Posted October 11, 2019 Yes Marcos, That is the problem... Attached is the screenshot from ESET network connections tool. The statistics were reset on the 8th I believe. So , two day's usage. Also see below the statistics from a network usage application. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,071 Posted October 11, 2019 Administrators Share Posted October 11, 2019 Please provide us with the files from the Charon folder. Link to comment Share on other sites More sharing options...
itman 1,659 Posted October 11, 2019 Share Posted October 11, 2019 31 minutes ago, Fatih said: Attached is the screenshot from ESET network connections tool. The statistics were reset on the 8th I believe. So , two day's usage. Also see below the statistics from a network usage application. Eset monitors network traffic via internal proxy. What may be possible here is whatever app the OP is using to monitor network traffic, it is recording this proxy traffic? Link to comment Share on other sites More sharing options...
Fatih 0 Posted October 11, 2019 Author Share Posted October 11, 2019 Hi Marcos, No diagnosis yet? Could it be that my ESET is hi-jacked? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,071 Posted October 11, 2019 Administrators Share Posted October 11, 2019 As I wrote above, we're waiting for you to provide the content of the charon folder. Link to comment Share on other sites More sharing options...
Fatih 0 Posted October 11, 2019 Author Share Posted October 11, 2019 Sorry, there was an answer. Windows network usage statistics show the same total traffic. So do my service provider bills... And this problem appeared couple of months ago, I guess there was no synchronised change by independent parties on how traffic is measured. Link to comment Share on other sites More sharing options...
Fatih 0 Posted October 11, 2019 Author Share Posted October 11, 2019 Sorry, I had missed that message. The files themselves... Attached. CACHE.zip Link to comment Share on other sites More sharing options...
itman 1,659 Posted October 11, 2019 Share Posted October 11, 2019 I will also add that a count of 31 files is the Eset charon folder is unusual. In any case, those files should be deleted in short order after LiveGrid analysis. If the files remain in the charon folder, it reminds me of a LiveGrid synchronization issue I have encountered in the past with Eset. LiveGrid in essence goes into a "loop" and keeps sending those files over and over again. A network monitor like TCPView should show this activity by showing multiple connections for ekrn.exe open. In any case, the solution to the problem is to boot into safe mode and delete all files in the charon folder other that the cache.ndb file. Link to comment Share on other sites More sharing options...
Fatih 0 Posted October 11, 2019 Author Share Posted October 11, 2019 But with LG feedback disabled would ESET send anthing at all? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,071 Posted October 11, 2019 Administrators Share Posted October 11, 2019 By the way, you have a full version of Malwarebytes installed with all its protection modules and drivers running. Choose only 1 AV as the primary and the other one as a second-opinion scanner without any drivers loaded. Link to comment Share on other sites More sharing options...
Fatih 0 Posted October 11, 2019 Author Share Posted October 11, 2019 Yes i installed it recently in trying to find what was eating up my network resources. I had initially suspected a malware not caught by ESET, then in turned out to be ESET itself!!! I did not get an answer to my last question: With LG feedback disabled shouldn't ESET stop trying to send those files, hence not get into a loop at all. Network usage by ESET does not have the steady pattern of a loop, it is quite irregular. I will try the proposed solution anyway... Link to comment Share on other sites More sharing options...
Recommended Posts