itman 1,659 Posted October 11, 2019 Share Posted October 11, 2019 You have another thread active to the effect that you can't install Eset. Do you have multiple PC's? One with Eset installed with this issue and another where you can't install Eset? Link to comment Share on other sites More sharing options...
Fatih 0 Posted October 11, 2019 Author Share Posted October 11, 2019 It is not me. Apparently that one is Faith; I am Fatih. "t" and "i" in different places. Funny coincidence though For a moment I was alarmed, then i realized its not my name. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted October 12, 2019 Administrators Share Posted October 12, 2019 1, Only files in the Charon folder may be submitted to ESET's LiveGrid servers, if accepted. 2, Throughout this year we've received about 20 suspicious files from you. Are you able to reproduce the situation when ekrn seems to be sending out a lot of data? If so, please post a screen shot of the Network connections screen with ekrn visible and communication details expanded so that we can see the communication server. Link to comment Share on other sites More sharing options...
itman 1,659 Posted October 12, 2019 Share Posted October 12, 2019 6 hours ago, Marcos said: If so, please post a screen shot of the Network connections screen with ekrn visible and communication details expanded so that we can see the communication server. Screen shot here shows 448 MB of data being sent by ekrn.exe although the Eset receiving IP address is not shown: https://forum.eset.com/topic/21131-eset-sending-large-amount-of-data/?do=findComment&comment=102815 . In any case, that is an unusually large amount of data to be uploaded in what appears to be a relatively short period of time. Another possible source here is Eset Customer Improvement option which I have disabled. Link to comment Share on other sites More sharing options...
Fatih 0 Posted October 12, 2019 Author Share Posted October 12, 2019 Here is the screenshot. But the amount of traffic with the detailed address is negligible as far as I can see?? Link to comment Share on other sites More sharing options...
itman 1,659 Posted October 12, 2019 Share Posted October 12, 2019 Do files other than cache.ndb still exist in the Eset Charon folder? Link to comment Share on other sites More sharing options...
Fatih 0 Posted October 12, 2019 Author Share Posted October 12, 2019 I just deleted them 10 minutes ago and so far ekrn seems to have shot up! Link to comment Share on other sites More sharing options...
Fatih 0 Posted October 12, 2019 Author Share Posted October 12, 2019 Yes it has shot up... Link to comment Share on other sites More sharing options...
itman 1,659 Posted October 12, 2019 Share Posted October 12, 2019 (edited) Download TCPView from here: https://docs.microsoft.com/en-us/sysinternals/downloads/tcpview . Unzip it and run tcpview.exe from the unzipped folder. This will show all active network connections including those from ekrn.exe. Let it run for a few minutes and then post a screen shot of what it shows. Edited October 12, 2019 by itman Link to comment Share on other sites More sharing options...
Purpleroses 21 Posted October 12, 2019 Share Posted October 12, 2019 (edited) I got a quick question about this. Under Network Connections under Eset I don't see the ekrn.exe. Should it be listed because I don't see it there when I go to Network Connections? Edited October 12, 2019 by Purpleroses Link to comment Share on other sites More sharing options...
itman 1,659 Posted October 12, 2019 Share Posted October 12, 2019 33 minutes ago, Purpleroses said: I got a quick question about this. Under Network Connections under Eset I don't see the ekrn.exe. Should it be listed because I don't see it there when I go to Network Connections? That is because under normal usage, Eset ekrn.exe network activity is predominately internal UDP proxy based. Right mouse click on the Eset Network Connections screen and remove the checkmark for "Show only TCP connections." Now all TCP and UDP connection activity will be shown. Link to comment Share on other sites More sharing options...
Fatih 0 Posted October 12, 2019 Author Share Posted October 12, 2019 In the sense it is not talking much... Link to comment Share on other sites More sharing options...
Fatih 0 Posted October 12, 2019 Author Share Posted October 12, 2019 ekrn has sent only 305kB in the last hour. Solved, no need for TCPView I guess... Link to comment Share on other sites More sharing options...
itman 1,659 Posted October 12, 2019 Share Posted October 12, 2019 30 minutes ago, Fatih said: ekrn has sent only 305kB in the last hour. Solved, no need for TCPView I guess... Appears deleting files in Charon folder did the trick as I suspected it would. Keep TCPView around in case the activity manifests again. Link to comment Share on other sites More sharing options...
Fatih 0 Posted October 12, 2019 Author Share Posted October 12, 2019 Thank you & Marcos for finally solving the problem. One cannot help wonder why ESET does not fix this problem if it was encountered before... It may not be a frequently encountered problem, but it is costly to the ESET user when it does happen. It cost me a lot of money in service provider bills and a lot of workdays of time. ESET can at least inform support teams better. I had 4 telephone & remote connection sessions with ESET Turkey trying to convince me there was nothing wrong with my system... Thanks again... Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted October 12, 2019 Administrators Share Posted October 12, 2019 Quote One cannot help wonder why ESET does not fix this problem if it was encountered before... It was not encountered before. It is actually very weird that deleting the content of the charon folder fixed it since the size of the files in the folder was quite small and the files would have been deleted automatically after being submitted or refused by ESET's servers. Link to comment Share on other sites More sharing options...
itman 1,659 Posted October 12, 2019 Share Posted October 12, 2019 (edited) Here's a recap on the issue. It has not occurred for some time on recent Eset IS versions for sometime thankfully. So my memory is a bit "foggy" on the exact details. This LiveGrid "looping" appears to be triggered by a large number of Eset detections present in the C:\ProgramData\ESET\ESET Security\Charon directory. That in itself is problematic since the malware or suspects should have been detected by Eset upon download. So assume that these detection's were a result of the files being present prior to an Eset first install. The LiveGrid "looping" is best described as Eset LiveGrid continuous sending the same files in the Charon directory. Normally LiveGrid will upload these files once and sometime later remove these files after examination has been performed on the Eset servers. What I believe triggers the continuous loop sending is some type of disruption in either the local network connnection or on the Eset server side while the file upload transmission is occurring. At this point, LiveGrid just keeps sending the same files over and over again on the local device side. LiveGrid on the Eset server side keeps deleting the files upon receipt since they have already been sent. Hence we are in a continuous transmission loop scenario. My guess is the slower your network adapter connection speed, the higher the possibility of the connection dropping in progress or getting borked in some way. Edited October 12, 2019 by itman Link to comment Share on other sites More sharing options...
itman 1,659 Posted October 12, 2019 Share Posted October 12, 2019 8 minutes ago, Marcos said: It was not encountered before. I posted about this a while back. I searched for my old postings but appears they have been deleted. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted October 13, 2019 Administrators Share Posted October 13, 2019 9 hours ago, itman said: I posted about this a while back. I searched for my old postings but appears they have been deleted. We do not delete any posts unless they are inappropriate, e.g. if they are offending, spam, etc. Posts are archived after 1 month if I remember correctly which prevents them from being searched using the forum search engine, however, they can be found via other search engines, such as Google. This is something we would like to address with the forum service provider since the search function is fundamental for users. Regarding files in the charon folder, it doesn't mean that all files in the folder will ever be submitted. I'd estimate that only a small portion of files be actually submitted and the other refused by LiveGrid servers, e.g. because they were already submitted by another user before. After submitting or rejecting a file, the file is deleted from the charon folder. Link to comment Share on other sites More sharing options...
Fatih 0 Posted October 13, 2019 Author Share Posted October 13, 2019 Nothing to argue really; the fact that ITMan solved the problem in one shot based on previous experience shows that it is not the first time it has occurred. This PC has been protected by ESET since the first day, as far as İ remember. The least that can be (and should have been really) done i think is to detect on the server side anomalies such as a client sending the same files over and over again... Thank you again ITMan Link to comment Share on other sites More sharing options...
itman 1,659 Posted October 13, 2019 Share Posted October 13, 2019 (edited) 7 hours ago, Marcos said: Posts are archived after 1 month if I remember correctly which prevents them from being searched using the forum search engine, however, they can be found via other search engines, such as Google. Here's my old posting which is a bit long: https://forum.eset.com/topic/15032-changed-livegrid-behavior-under-ver-11142/ Within this posting are TCPView screen shots clearly showing the multiple ekrn.exe outbound TCP connections to Eset LiveGrid servers. As noted toward the end of this thread, the only resolution for me to this issue at that time was to perform a Win 10 full network reset. -EDIT- As I recollect the problem did reoccur once or twice after this time and clearing the Charon folders of files worked every time. I can't recollect the issue occurring again on ver. 12. Edited October 13, 2019 by itman Link to comment Share on other sites More sharing options...
Fatih 0 Posted October 13, 2019 Author Share Posted October 13, 2019 So the success came easy today because of hard work in the past Link to comment Share on other sites More sharing options...
Fatih 0 Posted October 13, 2019 Author Share Posted October 13, 2019 No relief... Now my monitor shows 40 MB, Windows 100MB usage. The monitor is tracking only TCP? TCPView shows several UDP connections by ekrn. Could it be continuing to send data... Link to comment Share on other sites More sharing options...
itman 1,659 Posted October 13, 2019 Share Posted October 13, 2019 (edited) 6 hours ago, Fatih said: TCPView shows several UDP connections by ekrn. Could it be continuing to send data... No. Those ekrn.exe UDP connections are for internal connection monitoring only. The question is why so many though? Normal Eset UDP connection activity is for: One for localhost; i.e. 127.0.0.1 One for IPv4 proxy; i.e. 0.0.0.0 One for IPv6 proxy; i.e. 0:0:0:0:0:0:0:0. This one only applies if you're using IPv6 and usually disappears a short time after boot time. However, this one might remain permanent if you have a "true" IPv6 router and not a "hacked IPv6 in firmware" IPv4 router such as my present AT&T provided one is. The misbehaving LiveGrid behavior is evidenced by multiple outbound TCP ekrn.exe connections to Eset LiveGrid servers; the domain begins with tsmxx. where xx = 01 - 99. Again refer to the screen shots for TCPView from the forum link I posted previously. My best guess as to what is "eating up" your network bandwidth presently is FireFox. My best guess as to what is "eating up" your network bandwidth presently is FireFox. Also suspect on your screen shot is the explorer.exe connection using port 6543. That port is registered to the Pylons project #Pyramid: https://www.wikiwand.com/en/Pylons_project#/Pyramid . Why anything python based would be employing explorer.exe is suspicious to me. Also it is not normal activity to have explorer.exe establishing an outbound connection. Edited October 13, 2019 by itman Link to comment Share on other sites More sharing options...
Fatih 0 Posted October 14, 2019 Author Share Posted October 14, 2019 Thank you so much ITMan, The application I use to track network usage captures Firefox activity quite accurately I believe. The strange thing was the divergence between what that application showed and what windows indicated. The divergence appeared several hours after I had logged in. I had left the PC unattended for a while; apparently it restarted by itself. There were changes like the network usage monitor was not on the startup tray, ESET network usage statistics had been reset, and there was a big jump in network usage indicated in Windows - not reflected network usage monitor. (The company says it may miss traffic from "UWP apps" - as far as i know i don't have any ) Anyway, it seems that it was a one time event; so far windows is not indicating activity not captured by the monitor. The steady network usage problem seems to have been solved thanks to you. Putting everything together, I think we have 3 issues at hand: 1- A suspicious event: A non user initiated restart accompanied by some changes in the device and network activity not captured by the network monitor. 2- Apparently unusual ekrn activity. Today there are fewer ekrn connections:4. Screenshot attached. I am trying to find out whether my router is "true IPv6" 3- And double thank you for it; suspicious activity by explorer.exe. Since this pc has been protected by ESET since birth, I guess all for are in ESET area. So I would appreciate comments from the ESET establishment as well. Link to comment Share on other sites More sharing options...
Recommended Posts