Jump to content
paragon55

Strange "device" showing only with ESET Home Monitor

Recommended Posts

39 minutes ago, paragon55 said:

10.0.0.220 is my computer's address and no 00-11-22-AB-CD-EF is not my routers MAC address.

Now it changed to IP 13.107.4.52 and the name is my computer name .local, like: workpc.local

Share this post


Link to post
Share on other sites
Posted (edited)
13 hours ago, paragon55 said:

Now it changed to IP 13.107.4.52 and the name is my computer name .local, like: workpc.local

Per Robtex lookup:

Quote

The IP number is in Redmond, United States. It is hosted by Microsoft.

We investigated two host names that point to 13.107.4.52. Example: 4-c-0003.c-msedge.net and ds-c-0003.c-msedge.net.

Obviously this is an Edge browser/update connection.

It really is a mystery why this type of normal outbound Internet traffic is being picked up as a new network device connection. One possibility is your prior postings show port 445 and SMB protocol is being used when these new network device connections appear. Use of that port/protocol should be restricted to local network connections only.

What is becoming evident is normal Win outbound communication that should be using HTTP/S ports 80/443 is instead using SMB over TCP port 445. Eset interprets this as a new network connection resulting in a like alert.

Are you using a proxy server or anything that is filtering Internet traffic using port 445?

 

Edited by itman

Share this post


Link to post
Share on other sites

No proxy server and actually I've disabled port 445/SMB now as I have no need for it. All the tests pass at https://www.grc.com/shieldsup also. I wish there was another tool that would detect this anomaly other than ESET.

Share this post


Link to post
Share on other sites

I'm going to completely uninstall Edge to see if that makes any sort of difference.

Share this post


Link to post
Share on other sites

Uninstalling Edge made no noticeable difference. This latest time it connected the IP address was initially shown as (172.253.63.188) but then switched to my computer address (10.0.0.xxx). It also shows as running network services but they are different this time as shown in the screenshot.

Image1.PNG

Share this post


Link to post
Share on other sites
Posted (edited)

I assume your device is using a Wi-Fi connection? If so, perform the following.

Check if "random MAC address in Windows 10 for Wi-Fi adapter" is enabled per shown in this article: https://winaero.com/blog/enable-random-mac-address-in-windows-10-for-wi-fi-adapter/ . If so, this might be an explanation for Eset's new connection alerts.

If this setting is enabled and you desire to use this MAC randomizing feature, I would change Eset's "Protection type of new networks" setting shown in an above posting to "Use Windows settings." Suspect this will stop the Eset new connection alerts.

Edited by itman

Share this post


Link to post
Share on other sites

The device is wired via cat 6 not Wi-Fi.

Could the explanation just be as simple as CHM is just detecting regular browser traffic between the modem and computer and that's why IP's are pretty random? Also the fact that only ESET is able to detect this out of everything I've tried is puzzling.

Share this post


Link to post
Share on other sites
Posted (edited)
2 hours ago, paragon55 said:

Could the explanation just be as simple as CHM is just detecting regular browser traffic between the modem and computer and that's why IP's are pretty random?

If this was the case, CHM would show dozens if not hundreds of IP addresses.

So far, it appears Microsoft and Google IP address are being detected by CHM for what appear to be non-browser based outbound connections. Again, try changing Eset's "Protection type of new networks" setting shown in an above posting to "Use Windows settings." Believe this might stop the new connection alerts.

Of note:

Quote

When you select Use Windows setting a dialog will not appear and the network you are connected to will automatically be marked according to your Windows settings. This will cause certain features (for example file sharing and remote desktop) to become accessible from new networks.

https://help.eset.com/eis/13/en-US/idh_config_epfw_basic_group.html?idh_config_epfw_known_networks_group.html

Edited by itman

Share this post


Link to post
Share on other sites
1 hour ago, itman said:

If this was the case, CHM would show dozens if not hundreds of IP addresses.

So far, it appears Microsoft and Google IP address are being detected by CHM for what appear to be non-browser based outbound connections. Again, try changing Eset's "Protection type of new networks" setting shown in an above posting to "Use Windows settings." Believe this might stop the new connection alerts.
 

I can do that but it feels like if it works, then it's more or less ignoring the issue at that point. The point being why it's detected at all.

Share this post


Link to post
Share on other sites
Posted (edited)
3 minutes ago, paragon55 said:

I can do that but it feels like if it works, then it's more or less ignoring the issue at that point. The point being why it's detected at all.

I edited my prior posting with what "Use Windows settings" does. 

Edited by itman

Share this post


Link to post
Share on other sites
30 minutes ago, itman said:

I edited my prior posting with what "Use Windows settings" does. 

I set it to Use Windows Settings and it did nothing except just didn't show the pop up this time

Share this post


Link to post
Share on other sites

I am going to wrap up my comments in this thread with the following.

I regards to Eset new connection alert for your router. This is occurring because something changed its built-in MAC address. I doubt this is due to any anti-tracking mechanism built into the router. If this was the case, the MAC address changing would have been done once when the router fully initialized itself after setup or power up.

This leaves the conclusion that any attacker has access to your router. I would start by performing a hard reset on the router and change its Admin interface password to strong one. If this issue still persists, try to upgrade the router's firmware to the latest version that exists from the manufacturer. If the router is provided by your ISP, contact them about this issue and see if they have a new firmware version for the router.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...