Jump to content
paragon55

Strange "device" showing only with ESET Home Monitor

Recommended Posts

As the title says, only ESET Connected Home Monitor seems to be finding this "device". I have tried many other ways to see it but nothing else can find it. Because of this it makes me believe it's just an error or something to do with ESET itself.

The "device" shows as different things sometimes, but a common one is "edge-mqtt-shv-01-any2" or "edge-mqtt-shv-01-any2.facebook.com" and the IP is the same as my local computer(10.0.0.xxx) but sometimes it's a different IP which can be looked up as Facebook Ireland and sometimes Google. Makes no sense to me. The MAC address is always the same, being 00-11-22-AB-CD-EE - CIMSIS Inc

Sometimes there will be an icon saying it is running network services(port 445, SMB 2), shown in the attached screenshots.

ESET sees it at random times during the day, doesn't seem to be specific and nothing I do seems to trigger it.

Any ideas?

Image1.PNG

Image2.PNG

Share this post


Link to post
Share on other sites

The reference to CIMSYS Inc is weird, it seems to be a really small Korean company:

Cimsys Inc is a semiconductors company based out of 1831 E 71st St, Tulsa, Oklahoma, United States.
Company size: 1-10 employees

At https://forums.att.com/conversations/att-internet-features/is-this-a-loop-or-is-someone-trying-to-get-into-my-network/5e43a9a1c17a06619164ea04 I found: All mac addresses beginning with 00-11-22 belong to the owner Cimsys Inc in #301, Sinsung-Clean Bldg, 140, Nongseo-Ri, Kiheung-Eup Yongin-City Kyunggi-Do 449-711 Korea.

 
Please enable advanced logging under Help and support -> Details for technical support and then run a network scan with CHM. Next disable logging and collect logs with Log Collector. When done, upload the generated archive along with the file C:\ProgramData\ESET\ESET Security\homenet.dat here. Maybe it will shed more info.
 

Share this post


Link to post
Share on other sites
Posted (edited)

My best guess is this is related to Facebook tracking: https://www.henrirantanen.fi/2019/01/05/stop-facebook-tracking/ .

Troublesome is the port 445 SMB2 protocol reference which could imply some type of worm use to harvest data from the entire network. The first step here is to see of port 445 is open on the router. Go here: https://www.grc.com/shieldsup and run the Common ports test. Report back on the status of port 445.

Edited by itman

Share this post


Link to post
Share on other sites
Posted (edited)

As far as this goes:

15 hours ago, paragon55 said:

The MAC address is always the same, being 00-11-22-AB-CD-EE - CIMSIS Inc

Refer to this thread: https://forum.netgate.com/topic/152536/arp-00-11-22-ab-cd-ee-is-using-my-ip-address/2

Quote

So, it turns out my wife's company uses some L2 VPN and due to a server misconfiguration, I was seeing the vpn client on her laptop misbehave. She raised a ticket with their IT and the rest is beyond our control.

As far as the issue in my network, after turning off the ISP router's wifi and putting all our devices behind pfsense box, I'm not seeing those issues any more.

Phew! The moment I was about to turn off the capture I saw the smoking gun. I was almost getting ready to call the device malicious and return it.

 

Edited by itman

Share this post


Link to post
Share on other sites
50 minutes ago, itman said:

My best guess is this is related to Facebook tracking: https://www.henrirantanen.fi/2019/01/05/stop-facebook-tracking/ .

Troublesome is the port 445 SMB2 protocol reference which could imply some type of worm use to harvest data from the entire network. The first step here is to see of port 445 is open on the router. Go here: https://www.grc.com/shieldsup and run the Common ports test. Report back on the status of port 445.

Here is a screenshot of relevant ports on that test. All other tests on the site say Stealth(pass) also. I know that port 445 is open on my computer though, if it matters.

Image1.PNG

Image2.PNG

Image3.PNG

Share this post


Link to post
Share on other sites

Additional reference here:

Quote

I have the public hot spot turned off. It's been several weeks since I first posted that question. The stalker continues the attacks but I have figured out that it's automated, precisely 1:01 a.m. & 7:01 a.m. He will usually use the default router IP address & the same description but thanks to my Fingbox, I can see the difference. I used to be able to block it in the router interface, as well as Fingbox, but he caught onto that and changed the MAC address to a generic 00:11:22:AB:CD:EE. Occasionally he'll try using the IP address of my Echo Show or other ones like my iPhone but the MAC address & vendor stays the same, as does the OS, so it's still blocked. Burning question for me is how does he connect to my network in the first place when I have a strong VPN, hidden network name, Xfinity's so-called "Advanced Security" which is supposed to protect against such things? Never mind, that's probably a stupid question.

https://community.fing.com/discussion/2486/blocking-a-previously-blocked-device

 

Share this post


Link to post
Share on other sites

Assumed here is the CIMSYS reference is to some type of network hardware device that existed at some time. As noted here: https://macaddress.webwat.ch/vendor/CIMSYS_Inc , there was a driver for whatever this is. Note that the driver download link is no longer valid. This does not however imply that somehow the driver is currently being used maliciously.

You might want to check your Windows driver directory for any recent driver; i.e. .sys, file creations and anything related to CIMSYS.

Share this post


Link to post
Share on other sites

I should mention the only reason this sparked some interest is because only ESET CHM so far has detected it. I tried other ways to see it(Avast, AVG, TrendMicro and other IP scanner utilities) but only ESET has ever found anything. This almost leads me to believe it's just a problem with ESET CHM somehow.

Share this post


Link to post
Share on other sites

It also appears that the CIMSYS reference might be related to a driver for BlueTooth devices: https://escrutgers.com/cimsys-bluetooth-15/

In Windows, open Control Panel -> Hardware and Sound -> Devices and Printers and see if anything related to CIMSYS is shown. Likewise using Device Manager, look for unknown devices and what driver those devices are using.

Share this post


Link to post
Share on other sites
Posted (edited)
11 minutes ago, paragon55 said:

This almost leads me to believe it's just a problem with ESET CHM somehow.

You can download the portable version of this: https://www.nirsoft.net/utils/wireless_network_watcher.html i.e. ZIP file download, and see if the COMSYS device shows.

Edited by itman

Share this post


Link to post
Share on other sites
Posted (edited)
11 minutes ago, itman said:

It also appears that the CIMSYS reference might be related to a driver for BlueTooth devices: https://escrutgers.com/cimsys-bluetooth-15/

In Windows, open Control Panel -> Hardware and Sound -> Devices and Printers and see if anything related to CIMSYS is shown. Likewise using Device Manager, look for unknown devices and what driver those devices are using.

Interesting because I have been using some Bluetooth devices recently(USB bluetooth keys for a controller). I don't have them currently plugged in but I did install some drivers for them, although I uninstalled the drivers after removing the device so, not sure?

I also currently use a 2.4ghz wireless gaming controller which is directly plugged into the PC. Although no idea how to check any information on that.

Edited by paragon55

Share this post


Link to post
Share on other sites

It was gone for a while but now ESET detected it again as shown in the screenshot

 

Image1.PNG

Share this post


Link to post
Share on other sites
Posted (edited)

IP address 172.253.63.199 is Google:

Quote

Hierarchical analysis of the entity  172.253.63.188

whois:  Google LLC (GOGL)

route : 172.253.63.0/24

bgp:  AS15169

asname:  Google Google, Inc

descr:  Google

 location:  Mountain View, United States

Pondering this a bit more, "my money is on" this is Bluetooth device connection.

Eset HCM is detecting it whenever the device establishes a connection on your Wi-Fi router. When the device disconnects from your router, the connection disappears. The source device could be within your premises. Or if your Wi-Fi connection on the router is not properly secured, it can be any device within range of your Wi-Fi router such as your neighbors or a Wardriveby: https://en.wikipedia.org/wiki/Wardriving

Edited by itman

Share this post


Link to post
Share on other sites
26 minutes ago, itman said:

IP address 172.253.63.199 is Google:

Pondering this a bit more, "my money is on" this is Bluetooth device connection.

Eset HCM is detecting it whenever the device establishes a connection on your Wi-Fi router. When the device disconnects from your router, the connection disappears. The source device could be within your premises. Or if your Wi-Fi connection on the router is not properly secured, it can be any device within range of your Wi-Fi router such as your neighbors or a Wardriveby: https://en.wikipedia.org/wiki/Wardriving

I have checked all my modem settings including changing the passwords to more secure ones and upping the firewall level also. Why would ESET only be able to see this and literally nothing else I've tried can, though? That's the puzzling part.

Share this post


Link to post
Share on other sites
Posted (edited)
1 hour ago, paragon55 said:

Why would ESET only be able to see this and literally nothing else I've tried can, though? That's the puzzling part.

The first question is if Eset is showing a firewall alert when one of these connections is established? Try setting Eset new network detection to "Ask user" as shown below. Hopefully this might shed some light on the device being used.

Eset_New_Network.thumb.png.0953d875508ff453f12ac050cfb27e86.png

Edited by itman

Share this post


Link to post
Share on other sites
10 minutes ago, itman said:

The first question is if Eset is showing a firewall alert when one of these connections is established? Try setting Eset new network detection to "Ask user" as shown below. Hopefully this might shed some light on the device being used.

I have it set like that and yes I do get a pop-up saying a device connected when it happens but nothing further.

Share this post


Link to post
Share on other sites
4 minutes ago, paragon55 said:

yes I do get a pop-up saying a device connected when it happens but nothing further.

If this is the alert:

KB6268_Fig2-1.png

Click on "View device" to see device details about the new connection.

Share this post


Link to post
Share on other sites
9 minutes ago, itman said:

If this is the alert:

KB6268_Fig2-1.png

Click on "View device" to see device details about the new connection.

Yes that's it and I when I click it that's how I obtain the above details

Share this post


Link to post
Share on other sites
1 minute ago, paragon55 said:

Yes that's it and I when I click it that's how I obtain the above details

And just what are the details? Preferably shown in a screen shot.

Share this post


Link to post
Share on other sites
1 minute ago, itman said:

And just what are the details? Preferably shown in a screen shot.

Not much and it seems to vary but right now it's showing(blacked out computer and network name for privacy)

 

Image1.png

Share this post


Link to post
Share on other sites
Posted (edited)

Is 10.0.0.220 your router's IP address? That's what it looks like to me.

Next, in regards to the MAC address of your router. I assume it is not 10-11-22-AB-CD-EF.

It really appears that some type of MAC spoofing: https://en.wikipedia.org/wiki/MAC_spoofing is being performed against your router. This is what is triggered the Eset alert since as far as Eset is concerned, this is a new device to it. As the Wikipedia article notes:

Quote

However, many drivers allow the MAC address to be changed.

As such, it really is starting to look like you have a malicious driver installed.

Additional possibilities are:

Quote

Identity masking

If a user chooses to spoof their MAC address in order to protect the user's privacy,[citation needed] this is called identity masking. One might wish to do this because, as an example, on a Wi-Fi network connection a MAC address is not encrypted. Even the secure IEEE 802.11i-2004 (WPA) encryption method does not prevent Wi-Fi networks from sending out MAC addresses.[citation needed] Hence, in order to avoid being tracked, the user might choose to spoof the device's MAC address. However, hackers use the same technique to maneuver around network permissions without revealing their identity. Some networks use MAC filtering in order to prevent unwanted access. Hackers can use MAC spoofing to get access to a particular network and do some damage. Hackers' MAC spoofing pushes the responsibility for any illegal activity onto authentic users. As a result, the real offender may go undetected by law enforcement.[citation needed]

MAC Address Randomization in WiFi

To prevent third parties from using the MAC address to track devices, Android, Linux, iOS, and Windows[5] have implemented MAC address randomization. In June 2014, Apple announced that future versions of their iOS platform would randomize MAC addresses for all WiFi connections. The Linux kernel has supported MAC address randomization during network scans since March 2015,[6] but drivers need to be updated to use this feature.[7] Windows has supported it since the release of Windows 10[5] in July 2015.

The strong possibility is Win 10 is doing the above MAC address randomization and Eset is misidentifying this activity as a new network connection. 

BTW - this has nothing to do with Eset Home Connection Monitor per se. It's Eset Network Protection that is detecting a new network connection.

Edited by itman

Share this post


Link to post
Share on other sites

10.0.0.220 is my computer's address and no 00-11-22-AB-CD-EF is not my routers MAC address.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...