Jump to content
Fatih

ESET sending large amount of data

Recommended Posts

Since a couple of months ago ESET is sending large amounts of data.  In the last two hurs for example, it sent 238 MB and received 17MB.

ESET telephone support represemtative sugeested the  LŞveGrid was sending suspicious files to ESET but there was not much of a suspicious activity in the logs in this past two hours.

Any ideas what is going on and what to do about it, before I go bankrupt with the service provider bills?

Share this post


Link to post
Share on other sites

Please collect logs with ESET Log Collector and upload the generated archive here. Only ESET staff can access attachments. Do you compile a lot of new binaries on a regular basis on the machine?

Share this post


Link to post
Share on other sites

You have the ESET LiveGrid Feedback system disabled according to the configuration. Have you disabled it just recently? We didn't find any sample submitted from your ESET.

Do you use ESET's antispam in MS Outlook?

Share this post


Link to post
Share on other sites

I disabled it recently to see whether it reduces the outbound traffic; didn't have any effect.

Both an  external network monitor and ESET network connections tool show that ESET keeps sending information, somehow at a reduced rate: in the last 1 hour it sent 40MB, received 30 (apparently a module update). Recent normal is 100+MB/hour

I don't use outlook.

Share this post


Link to post
Share on other sites

ESET is behaving strangely in other ways..

Recently i tried to temporarily disable it, i got a message saying it is dangerous because of a recent threat, but there was no such threat in the logs.

ESET disable warn.png

Share this post


Link to post
Share on other sites
12 minutes ago, Fatih said:

I disabled it recently to see whether it reduces the outbound traffic; didn't have any effect.

Both an  external network monitor and ESET network connections tool show that ESET keeps sending information, somehow at a reduced rate: in the last 1 hour it sent 40MB, received 30 (apparently a module update). Recent normal is 100+MB/hour

I don't use outlook.

There are a few files in the charon folder which are about 9 MB in total. Not all files are necessarily submitted. After disabling the LG Feedback system, no new files should appear in that folder.

Could you please send me the content of the C:\ProgramData\ESET\ESET Security\Charon folder and monitor its content for a while to confirm that no new files are created there?

Share this post


Link to post
Share on other sites

By the way, ESET trafic in two hours: 100MB sent, 60 MB received

Share this post


Link to post
Share on other sites
3 minutes ago, Fatih said:

I don't see that folder.

This si what i see:

image.png.8f961d638fcd802ff83bc28d5b0702c7.png

'ProgramData' not 'Program Files'

Share this post


Link to post
Share on other sites

There are no new files in Charon since I disabled LG feedback.

Anyways, the amount of data put in Charon is nothing near what is being sent out by ESET.

I UNDERSTAND WE HAVE A BIG PROBLEM IN OUR HANDS!!!!

Share this post


Link to post
Share on other sites

 

16 minutes ago, Fatih said:

There are no new files in Charon since I disabled LG feedback.

Anyways, the amount of data put in Charon is nothing near what is being sent out by ESET.

I UNDERSTAND WE HAVE A BIG PROBLEM IN OUR HANDS!!!!

What do you mean? You have disabled ESET LiveGrid Feedback system, no new files are created in the charon folder (verify it with Procmon) and yet you claim that ESET is sending out files? Where do you see that ESET is sending out a lot of data?

Share this post


Link to post
Share on other sites

Yes Marcos,

That is the problem...

Attached is the screenshot from ESET network connections tool. The statistics were reset on the 8th I believe. So , two day's usage.

Also see below the statistics from a network usage application.

image.png.c8233969140aa03df310dca843dc747c.png

 

eset nw usage 2019 10 10 1740.png

Share this post


Link to post
Share on other sites
31 minutes ago, Fatih said:

Attached is the screenshot from ESET network connections tool. The statistics were reset on the 8th I believe. So , two day's usage.

Also see below the statistics from a network usage application.

Eset monitors network traffic via internal proxy. What may be possible here is whatever app the OP is using to monitor network traffic, it is recording this proxy traffic?

Share this post


Link to post
Share on other sites

Hi Marcos,

No diagnosis yet?

Could it be that my ESET is  hi-jacked?

Share this post


Link to post
Share on other sites

Sorry, there was an answer.

Windows network usage statistics show the same total traffic.

So do my service provider bills...

And this problem appeared couple of months ago, I guess there was no synchronised change by independent parties on how traffic is measured.

Share this post


Link to post
Share on other sites

I will also add that a count of 31 files is the Eset charon folder is unusual. In any case, those files should be deleted in short order after LiveGrid analysis.

If the files remain in the charon folder, it reminds me of a LiveGrid synchronization issue I have encountered in the past with Eset. LiveGrid in essence goes into a "loop" and keeps sending those files over and over again. A network monitor like TCPView should show this activity by showing multiple connections for ekrn.exe open.

In any case, the solution to the problem is to boot into safe mode and delete all files in the charon folder other that the cache.ndb file.

Share this post


Link to post
Share on other sites

But with LG feedback disabled would ESET send anthing at all?

Share this post


Link to post
Share on other sites

By the way, you have a full version of Malwarebytes installed with all its protection modules and drivers running. Choose only 1 AV as the primary and the other one as a second-opinion scanner without any drivers loaded.

image.png

Share this post


Link to post
Share on other sites

Yes i installed it recently in trying to find what was eating up my network resources. I had initially suspected a malware not caught by ESET, then in turned out to be ESET itself!!!

I did not get an answer to my last question: With LG feedback disabled shouldn't ESET stop trying to send those files, hence not get into a loop at all.

Network usage by ESET does not have the steady pattern of a loop, it is quite irregular.

I will try the proposed solution anyway...

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...