latest ESET contacting 72.21.81.200

[NoOne 0]

I have checked and have not found this IP 72.21.81.200 listed in the usual ports and addresses lists that ESET products use. Please update lists and reply what this IP is being used for. Can not update products as they will fail even though it is still contacting the usual other/previous addresses just fine. Sort of a downer to see the only things reported about this IP right now on google being an IP used for basic abuses. Thanks.

On a side note why does ESET try updating automatically after 7 days when I have automatic schedules set to disabled/off. A product should do what I TELL IT TO DO even if I decide to let the database get better testing before applying. I should not have to block the update mechanism via better firewalls to stop it doing things itself when I said NO.

[itman 1,659]

7 hours ago, NoOne said:

I have checked and have not found this IP 72.21.81.200 listed in the usual ports and addresses lists that ESET products use. Please update lists and reply what this IP is being used for. Can not update products as they will fail even though it is still contacting the usual other/previous addresses just fine. Sort of a downer to see the only things reported about this IP right now on google being an IP used for basic abuses. Thanks.

This IP address is registered to MCI Communications Services, Inc. d/b/a Verizon Business (MCICS); i.e. EDGECAST EdgeCast Networks, Inc.. Appears to primarily use MS Azure servers; e.g. xxxxxx.vo.msecnd.net. The "doodgy" domain shown being referenced is Maoooooo.com which shows many Chinese associated IP addresses including ChinaNET. However, this in itself proves nothing.

 

[Marcos 5,074]

Did you find the IP address to be contacted by ekrn.exe?

[itman 1,659]

24 minutes ago, Marcos said:

Did you find the IP address to be contacted by ekrn.exe?

Edgecast is an Internet backbone server provider.

Suspect that Eset traffic might be routed to Europe via this domain, barra-haustechnik.de, which is also hosted on this IP address.

[itman 1,659]

Since I am North America, I just created a firewall rule to monitor any outbound traffic from ekrn.exe to IP addresses 72.21.81.0/24 which is the entire Edgecast sub-net range. Will post back if anything is logged by the firewall.

[Marcos 5,074]

Maybe there's a CDN providing the local repository with program updates on that IP address.  However, in case of CDN IP addresses are not known to us so they cannot be listed in the KB.

[itman 1,659]

6 minutes ago, Marcos said:

Maybe there's a CDN providing the local repository with program updates on that IP address. 

That's my assumption also.

[NoOne 0]

So had a little bit of time to try a couple PC's again. Still going out to same spot and tried dumping all possible DNS caches and pulling from my tertiary DNS provider.

What happens is EKRN.exe will check for updates and download - then start processing the updates as normal with IP's in the KB that are already allowed (mainly UM07.eset.com). And then once the progress bar finishes it will attempt the contact to the odd IP and will then say the update failed if it cannot contact (even though I was able to see the files updated via file activity monitor).

When I let one PC's EKRN contact this server with extra logging enabled it sent 607 Bytes outgoing. And then by checking timing between logs was apparently attempting to download "repository.eset.com/v1/com/eset/apps/home/security/windows/metadata3.default"

Once I let it run this last check it would finish and say completed update in a split second.

I manually downloaded this file in my browser and went to same IP but got the file and does not look like anything surprising. Does seem to be some distribution network interfering with a connection to the official IP; something I personally do not like happening.

Once this apparently freak redirect stops. Still leaves the extra question of why the program tries to auto update when it is not supposed to (all schedules etc deleted/disabled) And then of course if it can not update when not asked to then throws error warnings that can annoy or scare some non-tech family members.

Thanks guys/gals

[Marcos 5,074]

It's not possible to disable updates completely, only program updates can be disabled in the advanced setup (not recommended).  There are other triggers for module updates than Scheduler. Keeping modules up to date is crucial for protecting your machine from newly emerging threats.

 

[Box 0]

The same occours to me, but the IP this time is 93.184.220.29, Virustotal list both with the same description, word by word:

AS 15133 ( MCI Communications Services, Inc. d/b/a Verizon Business )

for reference, I live in Spain, some minutes ago I opened a thread and posted a snapshot, but I didn't notice that a thread related to this was open, you can see the snapshot here:

https://forum.eset.com/topic/25790-eis-ekrnexe-opens-a-lot-of-connections-to-9318422029-and-clog-the-internet-connection/

[Marcos 5,074]

Just now, Box said:

The same occours to me, but the IP this time is 93.184.220.29, Virustotal list both with the same description, word by word:

Please don't post multiple times the same. This topic is about a different IP address. We will provide a reply in your own topic.

[Box 0]

1 minute ago, Marcos said:

Please don't post multiple times the same. This topic is about a different IP address. We will provide a reply in your own topic.

Sorry,it wasn't my intention to post the same information twice, but I noticed a pattern in both IP's and I thought that it was a good idea to let the OP to know about this, sorry again for posting the same thing two times.

[itman 1,659]

On 10/7/2020 at 11:00 PM, NoOne said:

What happens is EKRN.exe will check for updates and download - then start processing the updates as normal with IP's in the KB that are already allowed (mainly UM07.eset.com). And then once the progress bar finishes it will attempt the contact to the odd IP and will then say the update failed if it cannot contact (even though I was able to see the files updated via file activity monitor).

I duplicated this by forcing an Eset Update manually.

Two connections were made to um13.eset.com. Once the update check completed, two connections were shown to 2606:2800:11f:17a5:191a:18d5:537:22f9 which indeed is Edgecast. Below is info on this IPv6 connection. Note the "bgp" reference in the route field. It stands for border gateway protocol. Again, this is an Internet backbone server and all it its doing is relaying the network communication to/from its final destination.

 

There is also an IPv6 element involved here assuming your ISP and router supports it. As I mentioned, two connections were made to Eset servers. Why? It appears Eset servers only accept IPv4 connections. How IPv6 works is if a connection cannot be made via IPv6, it will fallback to IPv4 and try again. Hence the double connection attempt. Also why you are observing a failed update connection; the initial IPv6 update connection attempt.

 

Edited October 12, 2020 by itman

[NoOne 0]

On 10/8/2020 at 1:37 AM, Marcos said:

It's not possible to disable updates completely, only program updates can be disabled in the advanced setup (not recommended).  There are other triggers for module updates than Scheduler. Keeping modules up to date is crucial for protecting your machine from newly emerging threats.

 

This part is slightly concerning as it wreaks of following the big monopolies like Microsoft that have decided a persons computer is NOT theirs to control and the programs we pay for are also more important  than the owners life instead of acting like invited guests that MUST honestly advertise what they do and do it as the user requests when the option is available; not having an option that makes you think it does something but ignores you and does things behind your back. This basically says that ESET considers themselves to be superior to every user including those that may actually have more knowledge of their own personal business or even have experience/training in computers that surpasses them and want to act like big brother, do as we say. it if for your own good; aka jump of a cliff if we tell you.  Anyway found the hidden timer based entry that over-rides and triggers the forced auto update and when I get time will be working on a boot-up script to reset it so it only runs when it is requested and considered safe and ready to update by the owner/administrators/me that can determine their own risk factor of how up to date they need to be. We are not talking a business being an open target that someone could get a bunch of money out of; just home users. At least once this auto update gets overridden I can stop blocking the connections on certain computers at a higher level and having an extra step to do when I do want to do an update.

[NoOne 0]

As for the main issue discussion. The pass through of that odd IP backbone stopped happening about the end of last week and started once again going to the normal ESET servers.  As part of the other issue I also found a rather nice place in the registry to see the server names and associated IP's that the particular version of the ESET product installed on each machine actually uses so I could more precisely program them in to the firewall and where I can go to look if something ever changes to confirm.

Thanks for the help everyone and hopefully it leads to some knowledge gains to further limit future issues.

[shocked 60]

1 hour ago, NoOne said:

  As part of the other issue I also found a rather nice place in the registry to see the server names and associated IP's that the particular version of the ESET product installed on each machine actually uses so I could more precisely program them in to the firewall and where I can go to look if something ever changes to confirm.

 

 

 

out of curiosity, what's the registry key containing the IPs?

[itman 1,659]

Eset URLs and associated IP addresses are "no big secret." They are listed here: https://support.eset.com/en/kb332-ports-and-addresses-required-to-use-your-eset-product-with-a-third-party-firewall

 

Edited October 12, 2020 by itman

[NoOne 0]

Like itman said there has always been public lists. Something that is a + over most others now a days. And why this OP happened is because maybe something was off. Finding the reg entries is just nice to narrow things down more specifically etc.

If a reason.... I found them under one of the folders under here -> HKEY_LOCAL_MACHINE\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\

[itman 1,659]

7 hours ago, NoOne said:

If a reason.... I found them under one of the folders under here -> HKEY_LOCAL_MACHINE\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\

That key only contains URLs and IP addresses to Eset update servers. I am also a bit surprised they are "hard coded" there.

[Marcos 5,074]

14 minutes ago, itman said:

I am also a bit surprised they are "hard coded" there.

Not hardcoded, the list is downloaded from update servers.

[itman 1,659]

3 minutes ago, Marcos said:

Not hardcoded, the list is downloaded from update servers.

As such, what are the purpose of these then?

[Marcos 5,074]

The updater picks one of the update servers listed in the registry.

[itman 1,659]

21 minutes ago, Marcos said:

The updater picks one of the update servers listed in the registry.

Is that reg. key protected via Eset self-protection? I believe it is.

[shocked 60]

2 minutes ago, itman said:

Is that reg. key protected via Eset self-protection? I believe it is.

yes, i tried renaming the entire eset subkey and it was denied.