PassingBy 6 Posted March 12, 2023 Posted March 12, 2023 Long story made short, Over the last months i have spotted several IP numbers that should not be there while all apps are closed on laptop and desktop machines. I also use the web blocking functions to block an entire domain and an IP range. However, today i ran another packet traffic check and i saw those IPs are back and alive. Firewall setup is simple - Deny - In-out all blocked - Local and Remote. - Warning They're still there What worries me is what seems a parallel connection separated from the tree of connections i see departing from my router and connecting between two hex IP numbers which i have converted and blocked. They disappeared for a while and they're back. Am i doing something wrong?
Administrators Marcos 5,453 Posted March 12, 2023 Administrators Posted March 12, 2023 Please provide: - logs collected with ESET Log Collector - a couple of screenshots with comments that would clarify your concerns
itman 1,802 Posted March 12, 2023 Posted March 12, 2023 (edited) 8 hours ago, PassingBy said: What worries me is what seems a parallel connection separated from the tree of connections i see departing from my router and connecting between two hex IP numbers which i have converted and blocked. I have never seen an IPv4 address shown in hexadecimal format; they are always numeric formatted. However, IPv6 addresses do use hexadecimal format: https://en.wikipedia.org/wiki/IPv6_address . Edited March 12, 2023 by itman
PassingBy 6 Posted March 13, 2023 Author Posted March 13, 2023 5 hours ago, itman said: I have never seen an IPv4 address shown in hexadecimal format; they are always numeric formatted. However, IPv6 addresses do use hexadecimal format: https://en.wikipedia.org/wiki/IPv6_address . I never said they were IPv4. I said i had, on a tree of connections departing from my router, a SEPARATE connection with an initial HEX IP which converted was something like 245.8.X.X towards 1 or in one case 2 shorter HEX addresses, which converted gave the same sort of result. So, once verified EIS doesn't take HEX addresses, i created a rule with the decimal version and blocked everything. They showed up again. Same happened when i went to block a domain (www.blablablablah.xx). It was still there a few weeks later. In the case of the web domain, i also made sure to investigate their IP range and make an ad hoc rule in the firewall for the whole IP range. They're still there showing on a sniffer similar to Wireshark i use.
PassingBy 6 Posted March 13, 2023 Author Posted March 13, 2023 10 hours ago, Marcos said: Please provide: - logs collected with ESET Log Collector - a couple of screenshots with comments that would clarify your concerns Will try to do it today if i have the time...I might have some screenshots somewhere...
PassingBy 6 Posted March 13, 2023 Author Posted March 13, 2023 (edited) 10 hours ago, Marcos said: Please provide: - logs collected with ESET Log Collector - a couple of screenshots with comments that would clarify your concerns Here is a screenshot of what i see. On the right (redacted IPs) you have the normal IPs...they're mostly fine and link directly to my router's IP On the left you see the others. That's today's. I have others for other days. I will try to drop a log later on but i think the screenshot is eloquent enough. Edited March 13, 2023 by PassingBy
PassingBy 6 Posted March 13, 2023 Author Posted March 13, 2023 23 hours ago, Marcos said: Please provide: - logs collected with ESET Log Collector - a couple of screenshots with comments that would clarify your concerns Hi Marcos Apparently the log is too big and won't let me upload it. Can you kindly clarify what part do you need? Thanks
Administrators Marcos 5,453 Posted March 13, 2023 Administrators Posted March 13, 2023 Please provide complete logs. If necessary, upload the generated archive to a file sharing service and drop me a pm with a download link. Still it's not clear to me if you are concerned that ESET (ekrn) is communicating with unknown IPv6 addresses or that something else is communicating. Note that in automatic mode all outbound communication is allowed.
itman 1,802 Posted March 13, 2023 Posted March 13, 2023 As far as the Eset IP address shown, Robtex lookup shows: Of note is Eset server connections are all IPv4 as far as I am aware of. Are you connecting exclusively via IPv6 since your screen shot only shows a local link IPv6 address? If so, your router is converting IPv4 addresses to IPv6 ones via 4to6 tunneling method. This might account for the strange activity you referenced.
PassingBy 6 Posted March 14, 2023 Author Posted March 14, 2023 11 hours ago, Marcos said: Please provide complete logs. If necessary, upload the generated archive to a file sharing service and drop me a pm with a download link. Still it's not clear to me if you are concerned that ESET (ekrn) is communicating with unknown IPv6 addresses or that something else is communicating. Note that in automatic mode all outbound communication is allowed. The question is: Why despite me setting rules for IPs and domains i want to block they still show among my connections? Is the firewall blocking or those rules are inefficient? Am i doing something wrong? If so what? Bottom line. How can i actually block IPs and Domains from EIS?
PassingBy 6 Posted March 14, 2023 Author Posted March 14, 2023 3 hours ago, itman said: As far as the Eset IP address shown, Robtex lookup shows: Of note is Eset server connections are all IPv4 as far as I am aware of. Are you connecting exclusively via IPv6 since your screen shot only shows a local link IPv6 address? If so, your router is converting IPv4 addresses to IPv6 ones via 4to6 tunneling method. This might account for the strange activity you referenced. I am not worried about ESET connections. I am investigating the IPv6 addresses in the screenshot below (often it is just one associated). Since they are set as private and no information is provided i think it's normal to express a degree of doubt on what they are doing in my machine. The second doubt is why EIS is not blocking them as instructed.
Administrators Marcos 5,453 Posted March 14, 2023 Administrators Posted March 14, 2023 In order to block a communication allowed by the default rules, make sure to put a blocking rule on top of the built in rules. I would not recommend doing that or could easily end up with blocking some vital communication needed for the OS or ESET to work.
itman 1,802 Posted March 14, 2023 Posted March 14, 2023 (edited) 20 hours ago, PassingBy said: I am investigating the IPv6 addresses in the screenshot below (often it is just one associated) IPv6 addresses in the fe80::/64 range are local link addresses used for connectivity purposes on your device's local subnet. These addresses are not routable beyond the local subnet. Here's a good article that explains this in more detail: https://zivaro.com/what-you-need-to-know-about-ipv6-link-local-addresses/ . Also note that if your network connection in Eset is set up as trusted, all fe80::/64 addresses are automatically trusted. -EDIT- I guess I should also explain the ff02:: connections so you don't bork that processing. Open a command prompt window and enter the following command: netsh int ipv6 show neigh The output displayed will be similar to the following. Note that I have redacted my addresses. Also if you use a Wi-Fi connection, the Interface will be shown as such: What you observe is the result of DHCPv6 processing assigning via neighborhood discovery local link ff02:: equivalent broadcast addresses for your device and devices on your subnet allocated IPv6 addresses. The only IPv6 addresses not converted are my DHCPv6 DNS server and the fe80:: address assigned to my router/gateway. Edited March 14, 2023 by itman
PassingBy 6 Posted March 28, 2023 Author Posted March 28, 2023 On 3/14/2023 at 9:49 PM, itman said: IPv6 addresses in the fe80::/64 range are local link addresses used for connectivity purposes on your device's local subnet. These addresses are not routable beyond the local subnet. Here's a good article that explains this in more detail: https://zivaro.com/what-you-need-to-know-about-ipv6-link-local-addresses/ . Also note that if your network connection in Eset is set up as trusted, all fe80::/64 addresses are automatically trusted. -EDIT- I guess I should also explain the ff02:: connections so you don't bork that processing. Open a command prompt window and enter the following command: netsh int ipv6 show neigh The output displayed will be similar to the following. Note that I have redacted my addresses. Also if you use a Wi-Fi connection, the Interface will be shown as such: What you observe is the result of DHCPv6 processing assigning via neighborhood discovery local link ff02:: equivalent broadcast addresses for your device and devices on your subnet allocated IPv6 addresses. The only IPv6 addresses not converted are my DHCPv6 DNS server and the fe80:: address assigned to my router/gateway. Dear Itman, thanks for the kind explanation and for the time you devoted to this. Understood. Thanks a million. R.
Recommended Posts