Sharman 0 Posted June 27, 2020 Share Posted June 27, 2020 Hi I am currently investigating / evaluating a product for a new client of mine. We are currently managing and checking all outgoing connections from all types of software running on their network. I want to know what the ekrn.exe process is doing when it connects to the following IP addresses. One of the machines on the network is connecting to the following IP addresses on a daily basis. Eset IP Address investigation: - Unsafe connection to 91.228.167.87 (91.228.167.87). Blocking. Process -> ekrn.exe Port -> 80 PID -> 2392 Unsafe connection to 91.228.167.137 (91.228.167.137). Blocking. Process -> ekrn.exe Port -> 80 PID -> 2392 Unsafe connection to 91.228.167.103 (91.228.167.103). Blocking. Process -> ekrn.exe Port -> 80 PID -> 2392 Unsafe connection to 91.228.167.43 (91.228.167.43). Blocking. Process -> ekrn.exe Port -> 80 PID -> 2392 Unsafe connection to 91.228.166.45 (91.228.166.45). Blocking. Process -> ekrn.exe Port -> 80 PID -> 2392 Unsafe connection to 91.228.165.44 (91.228.165.44). Blocking. Process -> ekrn.exe Port -> 80 PID -> 2392 Unsafe connection to 91.228.166.52 (91.228.166.52). Blocking. Process -> ekrn.exe Port -> 80 PID -> 2392 Unsafe connection to 91.228.167.46 (91.228.167.46). Blocking. Process -> ekrn.exe Port -> 80 PID -> 2392 Unsafe connection to 38.90.226.12 (38.90.226.12). Blocking. Process -> ekrn.exe Port -> 80 PID -> 2392 Unsafe connection to 38.90.226.13 (38.90.226.13). Blocking. Process -> ekrn.exe Port -> 80 PID -> 2332 Unsafe connection to 38.90.226.11 (38.90.226.11). Blocking. Process -> ekrn.exe Port -> 80 PID -> 2332 Unsafe connection to 91.228.167.86 (91.228.167.86). Blocking. Process -> ekrn.exe Port -> 80 PID -> 2332 I understand that the ekrn.exe is a component of ESET Smart Security, I want to understand what it is actually doing when it connects to these IP addresses - what informatin is being send or received? The genuine ekrn.exe file is a software component of ESET Smart Security by ESET. ESET Smart Security is an Internet Security Suite that protects computers against malicious programs. Ekrn.exe runs a core kernel driver associated with the ESET Smart Security. Thanks Sharman Link to comment Share on other sites More sharing options...
Administrators Marcos 4,838 Posted June 27, 2020 Administrators Share Posted June 27, 2020 You can check the IP addresses here: https://support.eset.com/en/kb332-ports-and-addresses-required-to-use-your-eset-product-with-a-third-party-firewall Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 373 Posted June 27, 2020 Most Valued Members Share Posted June 27, 2020 It seems to be part of the online reputation database (ESET Live Grid). Why it is being blocked as unsafe I'm not sure though Link to comment Share on other sites More sharing options...
Sharman 0 Posted June 28, 2020 Author Share Posted June 28, 2020 (edited) Thanks for the response @Marcos, I will white list these IP addresses. @peteyt, the "blocked as unsafe" message is from the app I am evaluating "Blackfog". The IP range has been marked as suspicious because of some of the settings (Geo-fencing) within the application. I'm just trying to be as thorough as possible. I asked that question to Blackfog support - they sent me the links below: - These are the weird IP's that ekm.exe tries to connect to. They are Eset servers, but why do AV's mark them "malicious" ? 91.228.166.xx ( various last digits) https://hybrid-analysis.com/sample/eb4a7cffa9db131de89e1d4ad60ee5802bae41c0022a138413c2dd63d31a0654?environmentId=120 38.90.226.13 ( various last digits) https://hybrid-analysis.com/sample/eb4a7cffa9db131de89e1d4ad60ee5802bae41c0022a138413c2dd63d31a0654?environmentId=120 Edited June 28, 2020 by Sharman Link to comment Share on other sites More sharing options...
Recommended Posts