Jump to content

ESET outgoing connections?

Sharman
 Share

Recommended Posts

Sharman

Sharman 0

Posted
Posted

Hi 

I am currently investigating / evaluating a product for a new client of mine. We are currently managing and checking all outgoing connections from all types of software running on their network.
I want to know what the ekrn.exe process is doing when it connects to the following IP addresses.

One of the machines on the network is connecting to the following IP addresses on a daily basis.

Eset IP Address investigation: -

Unsafe connection to 91.228.167.87 (91.228.167.87). Blocking. Process -> ekrn.exe Port -> 80 PID -> 2392
Unsafe connection to 91.228.167.137 (91.228.167.137). Blocking. Process -> ekrn.exe Port -> 80 PID -> 2392
Unsafe connection to 91.228.167.103 (91.228.167.103). Blocking. Process -> ekrn.exe Port -> 80 PID -> 2392
Unsafe connection to 91.228.167.43 (91.228.167.43). Blocking. Process -> ekrn.exe Port -> 80 PID -> 2392
Unsafe connection to 91.228.166.45 (91.228.166.45). Blocking. Process -> ekrn.exe Port -> 80 PID -> 2392
Unsafe connection to 91.228.165.44 (91.228.165.44). Blocking. Process -> ekrn.exe Port -> 80 PID -> 2392
Unsafe connection to 91.228.166.52 (91.228.166.52). Blocking. Process -> ekrn.exe Port -> 80 PID -> 2392
Unsafe connection to 91.228.167.46 (91.228.167.46). Blocking. Process -> ekrn.exe Port -> 80 PID -> 2392
Unsafe connection to 38.90.226.12 (38.90.226.12). Blocking. Process -> ekrn.exe Port -> 80 PID -> 2392
Unsafe connection to 38.90.226.13 (38.90.226.13). Blocking. Process -> ekrn.exe Port -> 80 PID -> 2332
Unsafe connection to 38.90.226.11 (38.90.226.11). Blocking. Process -> ekrn.exe Port -> 80 PID -> 2332
Unsafe connection to 91.228.167.86 (91.228.167.86). Blocking. Process -> ekrn.exe Port -> 80 PID -> 2332

I understand that the ekrn.exe is a component of ESET Smart Security, I want to understand what it is actually doing when it connects to these IP addresses - what informatin is being send or received?

The genuine ekrn.exe file is a software component of ESET Smart Security by ESET. ESET Smart Security is an Internet Security Suite that protects computers against malicious programs. Ekrn.exe runs a core kernel driver associated with the ESET Smart Security.

Thanks

Sharman

Link to comment
Share on other sites
  • Most Valued Members
peteyt

peteyt 393

Posted
  • Most Valued Members
Posted

It seems to be part of the online reputation database (ESET Live Grid). Why it is being blocked as unsafe I'm not sure though

Link to comment
Share on other sites
Sharman

Sharman 0

Posted
  • Author
Posted (edited)

Thanks for the response @Marcos, I will white list these IP addresses.

@peteyt, the "blocked as unsafe" message is from the app I am evaluating "Blackfog". The IP range has been marked as suspicious because of some of the settings (Geo-fencing) within the application. 

I'm just trying to be as thorough as possible.
I asked that question to Blackfog support - they sent me the links below: -

 

These are the weird IP's that ekm.exe tries to connect to. They are Eset servers, but why do AV's mark them "malicious" ?

91.228.166.xx ( various last digits)

https://hybrid-analysis.com/sample/eb4a7cffa9db131de89e1d4ad60ee5802bae41c0022a138413c2dd63d31a0654?environmentId=120  


38.90.226.13 ( various last digits)

https://hybrid-analysis.com/sample/eb4a7cffa9db131de89e1d4ad60ee5802bae41c0022a138413c2dd63d31a0654?environmentId=120  

Edited by Sharman
Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...