Jump to content

EES IP leak through DNS resolving.

Recommended Posts


I discovered one unpleasant feature of the program. If user go to the section "Network connections", EES automatically starts resolving all IP addresses, all working at this time connections through DNS server(s). Moreover, it resolves even those IP addresses that do not need it. As an example,torrent clients etc..  It is very dangerous because DNS provider
in this case sees ALL connection company computer(s), not just those that should be resolved through DNS. This occurs regardless of check "Resolve host names" in "Network connections" section or not. This is definitely not ok. If large companies use their own DNS servers, which are under their full control, then small ones rely on third-party DNS hostings, which can lead to the leakage of confidential information based on dns requests. The EES has no option to disable this behavior. The system administrator of the company can only warn users not to enter the section "Network connections". Please fix this as soon as possible, otherwise you may be bombarded with lawsuits.

Steps to reproduce:

1: Open Wireshark program or any other program that can monitor network connections.

2: Open Eset Endpoint Security.

3: Click "Tools" option and then go to "Network connections" section.

4: After this In the Wireshark, you must observe DNS resolving ALL yours working connections at a given time.

Link to comment
Share on other sites

  • Administrators

Unless you use a VPN not only DNS requests but also the whole Internet communication will go through the provider regardless of whether ESET is installed or not. We don't see any issue in what you wrote.

Link to comment
Share on other sites

Posted (edited)

I'm not talking about ISP logging. I'm trying to convey to you that the EES leak absolutely all the Internet connections, even those who do not need by resolved through DNS servers. Simple example. You download something with torrent client. When you open "Network connections" section in EES it start resolve through DNS all ip addresses connection from this torrent client. WHY??? WHY??? WHY??? This is the simplest example. But in place of the torrent client can be some sort of a sensible program of all ip addresses (connection) which are confidential, and the EES without any reason leak them through DNS. Give a logical explanation why it happens even when uncheck "Resolve host names" in "Network connections" section? System administrators do not even have the possibility to stop this. You just ignore the existence of the problem.


PS: You really believe that small companies use VPN to encrypt their traffic?

Edited by StefanL4
Link to comment
Share on other sites

  • ESET Insiders

I agree with Marcos, and dont see the issue.

The trafic to those IP's is made with or without Eset.

The fact that you make a reverse DNS does not make any difference, and does not real any information that was not available otherwise (anyone can make those reverse DNS requests if they have the IP).

IP's that resolves anything  through DNS can not be considered confidential (I would not consider any public IP condidential, that is why they are called "Public")

Link to comment
Share on other sites


StefanL4, you don't know about the even more interesting behavior of the program with the network. 

When a firewall is configured (when only specific connections are allowed to ekrn.exe process), if you go to "Network protection troubleshooting" in ESET Endpoint Security, you can see that ESET Endpoint Security itself (C:\Program Files\ESET\ESET Security\ekrn.exe) tries to establish outgoing connections with different devices on the network using such TCP ports like 62078, 445, 80 and UDP ports 1900, 5353, 137, 3702. This means that if there were no deny rule, then the ekrn.exe process could establish all these connections!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...