EES IP leak through DNS resolving.

[StefanL4 0]

Hello.

I discovered one unpleasant feature of the program. If user go to the section "Network connections", EES automatically starts resolving all IP addresses, all working at this time connections through DNS server(s). Moreover, it resolves even those IP addresses that do not need it. As an example,torrent clients etc..  It is very dangerous because DNS provider
in this case sees ALL connection company computer(s), not just those that should be resolved through DNS. This occurs regardless of check "Resolve host names" in "Network connections" section or not. This is definitely not ok. If large companies use their own DNS servers, which are under their full control, then small ones rely on third-party DNS hostings, which can lead to the leakage of confidential information based on dns requests. The EES has no option to disable this behavior. The system administrator of the company can only warn users not to enter the section "Network connections". Please fix this as soon as possible, otherwise you may be bombarded with lawsuits.

Steps to reproduce:

1: Open Wireshark program or any other program that can monitor network connections.

2: Open Eset Endpoint Security.

3: Click "Tools" option and then go to "Network connections" section.

4: After this In the Wireshark, you must observe DNS resolving ALL yours working connections at a given time.

[Marcos 5,074]

Unless you use a VPN not only DNS requests but also the whole Internet communication will go through the provider regardless of whether ESET is installed or not. We don't see any issue in what you wrote.

[StefanL4 0]

I'm not talking about ISP logging. I'm trying to convey to you that the EES leak absolutely all the Internet connections, even those who do not need by resolved through DNS servers. Simple example. You download something with torrent client. When you open "Network connections" section in EES it start resolve through DNS all ip addresses connection from this torrent client. WHY??? WHY??? WHY??? This is the simplest example. But in place of the torrent client can be some sort of a sensible program of all ip addresses (connection) which are confidential, and the EES without any reason leak them through DNS. Give a logical explanation why it happens even when uncheck "Resolve host names" in "Network connections" section? System administrators do not even have the possibility to stop this. You just ignore the existence of the problem.

 

PS: You really believe that small companies use VPN to encrypt their traffic?

Edited June 17, 2021 by StefanL4

[rekun 43]

I agree with Marcos, and dont see the issue.

The trafic to those IP's is made with or without Eset.

The fact that you make a reverse DNS does not make any difference, and does not real any information that was not available otherwise (anyone can make those reverse DNS requests if they have the IP).

IP's that resolves anything  through DNS can not be considered confidential (I would not consider any public IP condidential, that is why they are called "Public")

[labynko 5]

Hello.

StefanL4, you don't know about the even more interesting behavior of the program with the network. 

When a firewall is configured (when only specific connections are allowed to ekrn.exe process), if you go to "Network protection troubleshooting" in ESET Endpoint Security, you can see that ESET Endpoint Security itself (C:\Program Files\ESET\ESET Security\ekrn.exe) tries to establish outgoing connections with different devices on the network using such TCP ports like 62078, 445, 80 and UDP ports 1900, 5353, 137, 3702. This means that if there were no deny rule, then the ekrn.exe process could establish all these connections!