Weird device shown by Network Inspector

[Aaxo 0]

Hello,

I'd like to ask about this one device found on my network by Network Inspector. As for all the other devices shown by the app, I was able to find out what they are, but this one I don't know (the only two HP products on my network are a laptop which i ruled out as another device and a printer that has been disconnected for quite a while) and the strange IP address seems really concerning to me (the MAC vendor indeed is HP, I checked for that). All of the other devices have got standard IP assigned by router. What i find really strange is that the Network Inspector seems to be the only programme being able to see this device (I can't see it in the router interface and several other programmes can't see it either). I find it being mostly online (although not all the time) whenever I look into the Inspector app. As i was concerned about this, I reset my router into factory settings, but as soon as I connected back online and ran Network Inspector, the device was already there (i ran antivirus testing on all connected devices before doing the reset).

So I'd like to ask if there's anyone who could tell me what could this mean (tbh I'm not really tech-savvy) or whether or not is it something to be concerned about.

Thanks.

[Marcos 4,841]

You can try deleting "C:\ProgramData\ESET\ESET Security\homenet.dat"  in safe mode. If the HP device is detected during a network scan again and no HP device is connected to the router neither via wi-fi or wire, carry on as follows:

1. Enable advanced logging under Help and support -> Technical support
2. Run a network scan
3. Stop logging
4. Collect logs with ESET Log Collector.
5. Raise a support ticket and provide the logs when requested by technical support.

 

[itman 1,595]

The HP device appears to be a "ghosted" one Network Inspector is picking up. More so since the assigned IP addresses is an IPv6 link local one.

I suspect that deleting the homenet.dat file will remove it from being shown.

[Aaxo 0]

Hello,

So i've tried to delete the said file (went to safe mode, then C:\Program Files\ESET\ESET Security), but there was no such file of that name. Is it possible that it's "hiding" under a different name (there was, however, no .dat file whatsoever)?

Then i ran the network scan, which showed no vulnerabilities (the said device was, however, offline by that time according to the Network Inspector - then it bounced back online and offline as i performed another check).

[peteyt 373]

13 minutes ago, Aaxo said:

Hello,

So i've tried to delete the said file (went to safe mode, then C:\Program Files\ESET\ESET Security), but there was no such file of that name. Is it possible that it's "hiding" under a different name (there was, however, no .dat file whatsoever)?

Then i ran the network scan, which showed no vulnerabilities (the said device was, however, offline by that time according to the Network Inspector - then it bounced back online and offline as i performed another check).

Are hidden files enabled? Could be hidden by default

[Aaxo 0]

Just enabled them (in File Manager), but still can't see the file (although now I am already off the safe mode, if it makes any difference).

[Aaxo 0]

Update:

I'm so sorry, OS wouldn't let me to ProgramData by default so i was looking into Program Files. In the ProgramData folder i can find the said file, I'll try to find it in the safe mode as well.

[Aaxo 0]

I Successfully managed to delete the file, but the device is still there (with the only difference being the IP showing as the name of the device as well). So I'll try to contact the support as suggested.

Thanks

[Aaxo 0]

I raised a support ticket and it was recommended to me to contact my ISP, as there can be different explanations depending on how the networks in my area are connected.

Anyway one more thing came across my mind that I'd like to ask. As I mentioned earlier on, I ruled out my HP printer as impossible to be the unknown device because it was disconnected a while ago. It was not, however, deleted from the computer, so I thought the computer might be just "looking for it" or that one of the drivers or the HP app may be causing this confusion. Moreover, by checking the printer's hardware I found out that it actually has 2 MAC addresses (depending on the way of connection with other devices) and the one that was not being displayed on my computer matches the one of the unknown device. Also, the IPv6 shown by the Network Inspector was there (although I have no clue why would the computer prefer it over the IPv4, I don't really understand this matter).

So I tried to delete the printer completely from the computer including all the files and accompanying software, then again deleting the homenet.dat file, but the device was still showing there. It was, however, not visible on a Network Inspector scan of another device (I bought the programme just today), which also has history of being connected to that printer (altough probably not through HP Smart).

As nothing seemed to change the status of the unknown device, I reinstalled the printer, which didn't change it either.

Well... Basically I'd like to ask whether or not can it be possible for a disconnected device (or a malfunctioning driver, I haven't really found that out) to "fool the" computer and the Network Inspector, as it only got detected from a device to which it was connected most of the time of its active use? Or, perhaps, can it possible that some sort of spoofing is taking place (few days ago, there has been some traffic blocked by the ESET firewall linked to that particular IPv6 if I remember correctly)?

I really hope that at this point I'm not just wasting time of y'all who read this and am sorry for not looking up the printer specs properly earlier on, but the situation still seems strange to me as I don't really understand this stuff...

[itman 1,595]

I must say you really put a lot of effort into this issue.

Let's take it from the top again. A couple of questions.

1 Is the network connection Eset created set to the Private profile?

2. Is the HP printer connected  to any other computer on your home network and is the printer powered up?

3. If the printer is not connected to another computer is its Wi-Fi connection enabled and the printer powered up?

Edited September 19 by itman

[Marcos 4,841]

If you want to find out the reason for detection, carry on as follows:

1. Enable advanced logging under Help and support -> Technical support
2. Run a network scan so that the HP device is detected
3. Stop logging
4. Collect logs with ESET Log Collector and provide the generated archive to technical support who should pass the logs to the developers for perusal.

[Aaxo 0]

9 hours ago, itman said:

1 Is the network connection Eset created set to the Private profile?

2. Is the HP printer connected  to any other computer on your home network and is the printer powered up?

3. If the printer is not connected to another computer is its Wi-Fi connection enabled and the printer powered up?

1) The connection is set to the Private profile

2) In the past, the printer was connected to two other devices (I believe), one of them being a phone, the other one being a laptop from which the second scan was performed. In none of these cases, however, was the printer connected to a HP Smart app (used for example for real-time monitoring of the amount of ink or for ordering the ink online). The Network inspector on the first device showed the same result whether the printer was connected/disconnected (both from the computer and electricity). The printer was never really connected to the home network but through the home computer (just using ordinary USB cable with no intentions of it being connected to the internet, but the printer's report showed me that it must've been connected to the home network somehow, probably via the cable connection, and thanks to the HP Smart app)

3) The printer can generate its own Wi-Fi that can be used for wireless printing, but I never used it. Right now the printer is powered up and connected to the computer, but the result of the scan remains the same.

It makes me wonder if it could be the HP Smart app causing this confusion (even though the problem persisted after deleting the app) and the computer is just mistakenly checking on the printer status even though it was properly deleted from it (as a result of some sort of system error; I guess hard reseting the computer would show whether it makes sense or not, but that feels a little too excessive to me)...

[Aaxo 0]

2 hours ago, Marcos said:

If you want to find out the reason for detection, carry on as follows:

1. Enable advanced logging under Help and support -> Technical support
2. Run a network scan so that the HP device is detected
3. Stop logging
4. Collect logs with ESET Log Collector and provide the generated archive to technical support who should pass the logs to the developers for perusal.

OK, I'll try that.

Thanks

[itman 1,595]

4 hours ago, Aaxo said:

but the printer's report showed me that it must've been connected to the home network somehow, probably via the cable connection, and thanks to the HP Smart app

Let's begin with how Eset Network Inspector works. It will identify all devices on your local home network connected to your router.

When you set up the HP printer, it appears that processing set up its Wi-Fi interface. Your router via its Wi-Fi interface discovered the printer and created a connection for it. Normally, a Wi-Fi device can't auto create a Wi-Fi connection on the router. I therefore conclude that there was manual intervention to do so during the printer setup procedure.  Open the router's GUI interface and display all devices currently connected to it. I am sure one of those devices is the HP printer.

Which gets us to what is the problem?  One of the functions of Network Inspector is to notify if a new device has been connected to your home network which is not the case here.

Edited September 20 by itman

[Aaxo 0]

I'm afraid it doesn't show up in the GUI (really couldn't find it anywhere, it was not even in the past connected devices or as a possibility of adding it to a MAC whitelist etc.). It really seems like some sort of a strange bug generated by my computer's system to me, hopefully nothing to worry about (since the Network Inspector ran on another device doesn't show it)...

[itman 1,595]

2 hours ago, Aaxo said:

hopefully nothing to worry about (since the Network Inspector ran on another device doesn't show it)...

You posted previously that the HP printer is currently connected to your PC. Assumed that is by USB connection.

I have the same setup and Network Inspection does not see my HP printer. However, I never set up its Wi-Fi connection. I also uninstalled the HP Smart software immediately after the HP printer setup procedure was completed.

Finally, my old PC does not have Wi-Fi connectivity; i.e. no Wi-FI network adapter, which also might be a factor for Network Inspector not seeing the printer.

[Aaxo 0]

The printer really was connected to my PC using the USB cable only with the remote connection disabled (both connecting to any existing site and generating its own). But apparently somewhat improperly, as when I accessed the general settings, there was a third switch that was ON. So I tried connecting the printer to the home Wi-Fi for the first time and the unknown device turned into a printer with name identifying the actual model. The MAC and the link-local address stayed the same, IPv4 assigned by router appeared (with 2 other IPv6s), another new thing was info about the OS.

So everything appeared to be alright, the printer was visible from both the devices where I ran Network Inspector scan (also from the router's GUI). When I turned the printer off, it disappeared from GUI and the other device with ESET on it. However, on the computer that was initially displaying it as an unknown device, everything returned to the old state (the disconnected printer showing as alternately on and off the network) with the fact that the recently added info stayed there (accessing the printer's interface became obviously impossible, gradually sending me to the 3 now displayed IPv6 addresses).

As for the no Wi-Fi network adapter possibility, in my case it's actually the PC that shows this strange thing that is not connected to Wi-Fi (it doesn't have such built-in adapter). The other one is (I actually ran the scan with it being connected to Wi-Fi first, then Ethernet with the same result).

I can't help but think it has to do something with the HP Smart app and that particular computer (why wouldn't it show up elsewhere?), but then again, given the level of my knowledge of the matter I'm just guessing. I'll try to do the log collecting and contact the support.

Thanks for the help and advice

[itman 1,595]

I really believe the issue is due to HP's weird setup procedure in regards to using the printer with their provided printer driver. Below is the USB connection setup procedure for my printer model:

Quote

HP printer setup (USB cable)

Set up your printer for a USB connection on a Windows computer, Mac, or Chromebook.

Set up a USB printer connection (Windows)

Download the HP Smart app for Windows, and then follow the instructions to set up a USB connection.

1. If you already connected the printer USB cable to your computer, disconnect it, and then remove the printer from your computer.

   1. Search for and open Printers & scanners, and then select the name of your printer from the list.

   2. Click Remove device, click Yes, and then restart the computer.

2. Make sure an open USB port is available on your computer. Do not connect the printer to a USB hub or docking station.

3. Go to HP Smart - Microsoft Store (in English), and then install and open the HP Smart app.

4. If the setup does not begin automatically, click the Add icon to add your printer.

5. Follow the prompts to complete the printer setup.

 

 

Edited September 21 by itman

[Aaxo 0]

So I tried to do this deleting procedure once again (with low expectances though, as previously the device was showing printer being disconnected and deleted including software), deleted the printer, (hopefully) all drivers, all HP software and files left behind by it. Then I deleted the homenet.dat file in safe mode and restarted the computer.

After logging back in, the device immediately popped up on the Network Inspector, showing once again only the link local IPv6, MAC and brand (probably based on identifying the MAC vendor). Once again, the other device with ESET Network Inspector feature didn't see it. To be more sure, I installed Avast Free (just for the purpose of the network scan, it's already uninstalled so that it doesn't interfere with ESET) and ran a network scan there. The result was the same (the device was detected on one of the two computers only). The printer hasn't been plugged in since I deleted it.

I don't really understand why only one computer sees this thing. I tried to rule out all possible interference possibilities, such as thermostat and wireless doorbell, both of those not being connected to Wi-Fi and operating on different frequencies (with the strongest argument being that such "interfering device" wouldn't display with printer's assigned MAC and a link local IP, which is preset as well based on what I understood from the printer status report).

It wouldn't be that off-putting to me normally, but before installing ESET and finding out about the anomaly in the network scan, I actually found an unknown device in my router's GUI (with MAC vendor being Zensys, which only has one registered MAC prefix from what I could find; also, the vendor apparently has something to do with Z-wave but I'm not sure if really, I didn't really get the feeling of it being a reliable company). The device was not displaying any IP address (in the GUI). I performed a factory reset of my router and ran an anti-malware scan on all the devices where it was possible. The device didn't appear in the GUI since the reset, so I believe that fixed the problem. I thought I wrote this piece of information in my initial post, but apparently I only wrote it in the support ticket and forgot.

So in light of this, the anomaly visible from only one device makes me more concerned than it probably should. I'll try to contact the support now that I gathered more info and will see what comes out of it.