paragon55 0 Posted August 1, 2020 Author Share Posted August 1, 2020 39 minutes ago, paragon55 said: 10.0.0.220 is my computer's address and no 00-11-22-AB-CD-EF is not my routers MAC address. Now it changed to IP 13.107.4.52 and the name is my computer name .local, like: workpc.local Link to comment Share on other sites More sharing options...
itman 1,742 Posted August 1, 2020 Share Posted August 1, 2020 (edited) 13 hours ago, paragon55 said: Now it changed to IP 13.107.4.52 and the name is my computer name .local, like: workpc.local Per Robtex lookup: Quote The IP number is in Redmond, United States. It is hosted by Microsoft. We investigated two host names that point to 13.107.4.52. Example: 4-c-0003.c-msedge.net and ds-c-0003.c-msedge.net. Obviously this is an Edge browser/update connection. It really is a mystery why this type of normal outbound Internet traffic is being picked up as a new network device connection. One possibility is your prior postings show port 445 and SMB protocol is being used when these new network device connections appear. Use of that port/protocol should be restricted to local network connections only. What is becoming evident is normal Win outbound communication that should be using HTTP/S ports 80/443 is instead using SMB over TCP port 445. Eset interprets this as a new network connection resulting in a like alert. Are you using a proxy server or anything that is filtering Internet traffic using port 445? Edited August 1, 2020 by itman Link to comment Share on other sites More sharing options...
paragon55 0 Posted August 1, 2020 Author Share Posted August 1, 2020 No proxy server and actually I've disabled port 445/SMB now as I have no need for it. All the tests pass at https://www.grc.com/shieldsup also. I wish there was another tool that would detect this anomaly other than ESET. Link to comment Share on other sites More sharing options...
paragon55 0 Posted August 1, 2020 Author Share Posted August 1, 2020 I'm going to completely uninstall Edge to see if that makes any sort of difference. Link to comment Share on other sites More sharing options...
paragon55 0 Posted August 1, 2020 Author Share Posted August 1, 2020 Uninstalling Edge made no noticeable difference. This latest time it connected the IP address was initially shown as (172.253.63.188) but then switched to my computer address (10.0.0.xxx). It also shows as running network services but they are different this time as shown in the screenshot. Link to comment Share on other sites More sharing options...
itman 1,742 Posted August 1, 2020 Share Posted August 1, 2020 (edited) I assume your device is using a Wi-Fi connection? If so, perform the following. Check if "random MAC address in Windows 10 for Wi-Fi adapter" is enabled per shown in this article: https://winaero.com/blog/enable-random-mac-address-in-windows-10-for-wi-fi-adapter/ . If so, this might be an explanation for Eset's new connection alerts. If this setting is enabled and you desire to use this MAC randomizing feature, I would change Eset's "Protection type of new networks" setting shown in an above posting to "Use Windows settings." Suspect this will stop the Eset new connection alerts. Edited August 1, 2020 by itman Link to comment Share on other sites More sharing options...
paragon55 0 Posted August 1, 2020 Author Share Posted August 1, 2020 The device is wired via cat 6 not Wi-Fi. Could the explanation just be as simple as CHM is just detecting regular browser traffic between the modem and computer and that's why IP's are pretty random? Also the fact that only ESET is able to detect this out of everything I've tried is puzzling. Link to comment Share on other sites More sharing options...
itman 1,742 Posted August 1, 2020 Share Posted August 1, 2020 (edited) 2 hours ago, paragon55 said: Could the explanation just be as simple as CHM is just detecting regular browser traffic between the modem and computer and that's why IP's are pretty random? If this was the case, CHM would show dozens if not hundreds of IP addresses. So far, it appears Microsoft and Google IP address are being detected by CHM for what appear to be non-browser based outbound connections. Again, try changing Eset's "Protection type of new networks" setting shown in an above posting to "Use Windows settings." Believe this might stop the new connection alerts. Of note: Quote When you select Use Windows setting a dialog will not appear and the network you are connected to will automatically be marked according to your Windows settings. This will cause certain features (for example file sharing and remote desktop) to become accessible from new networks. https://help.eset.com/eis/13/en-US/idh_config_epfw_basic_group.html?idh_config_epfw_known_networks_group.html Edited August 1, 2020 by itman Link to comment Share on other sites More sharing options...
paragon55 0 Posted August 1, 2020 Author Share Posted August 1, 2020 1 hour ago, itman said: If this was the case, CHM would show dozens if not hundreds of IP addresses. So far, it appears Microsoft and Google IP address are being detected by CHM for what appear to be non-browser based outbound connections. Again, try changing Eset's "Protection type of new networks" setting shown in an above posting to "Use Windows settings." Believe this might stop the new connection alerts. I can do that but it feels like if it works, then it's more or less ignoring the issue at that point. The point being why it's detected at all. Link to comment Share on other sites More sharing options...
itman 1,742 Posted August 1, 2020 Share Posted August 1, 2020 (edited) 3 minutes ago, paragon55 said: I can do that but it feels like if it works, then it's more or less ignoring the issue at that point. The point being why it's detected at all. I edited my prior posting with what "Use Windows settings" does. Edited August 1, 2020 by itman Link to comment Share on other sites More sharing options...
paragon55 0 Posted August 1, 2020 Author Share Posted August 1, 2020 30 minutes ago, itman said: I edited my prior posting with what "Use Windows settings" does. I set it to Use Windows Settings and it did nothing except just didn't show the pop up this time Link to comment Share on other sites More sharing options...
itman 1,742 Posted August 2, 2020 Share Posted August 2, 2020 I am going to wrap up my comments in this thread with the following. I regards to Eset new connection alert for your router. This is occurring because something changed its built-in MAC address. I doubt this is due to any anti-tracking mechanism built into the router. If this was the case, the MAC address changing would have been done once when the router fully initialized itself after setup or power up. This leaves the conclusion that any attacker has access to your router. I would start by performing a hard reset on the router and change its Admin interface password to strong one. If this issue still persists, try to upgrade the router's firmware to the latest version that exists from the manufacturer. If the router is provided by your ISP, contact them about this issue and see if they have a new firmware version for the router. paragon55 1 Link to comment Share on other sites More sharing options...
paragon55 0 Posted August 2, 2020 Author Share Posted August 2, 2020 Thanks for you help in regards to this Link to comment Share on other sites More sharing options...
Recommended Posts