MBAM blocks outbound connection attempt made by ekrn.exe to malicious IP address?

[spc3rd 9]

A new update for what it's worth...

 

     At 6:30 p.m. today, while I was viewing ESET > SETUP > Network Protection page, MBAM displayed another Outbound block alert as shown in the log excerpt below.  At the same time of MBAM's alert, the ESS Troubleshooting Log shows it blocked an INCOMING TCP packet from the same IP address, 91.212.124.32.  Reason:  "TCP packet not belonging to any open connection".

 

This new IP address (91.212.124.32) appears to be located in the Ukraine.  IP is flagged by VirusTotal (i.e. Kaspersky & Dr. Web) as being malicious.  

 

Malwarebytes Anti-Malware Log excerpt

Detection, 3/21/2016 6:30 PM, SYSTEM, XXXXADMIN-PC, Protection, Malicious Website Protection, IP, 91.212.124.32, 58282, Outbound, C:\Program Files\ESET\ESET Smart Security\ekrn.exe,
Detection, 3/21/2016 6:30 PM, SYSTEM, XXXXADMIN-PC, Protection, Malicious Website Protection, IP, 91.212.124.32, 58282, Outbound, C:\Program Files\ESET\ESET Smart Security\ekrn.exe,
Detection, 3/21/2016 6:30 PM, SYSTEM, XXXXADMIN-PC, Protection, Malicious Website Protection, IP, 91.212.124.32, 58282, Outbound, C:\Program Files\ESET\ESET Smart Security\ekrn.exe,
Detection, 3/21/2016 6:30 PM, SYSTEM, XXXXADMIN-PC, Protection, Malicious Website Protection, IP, 91.212.124.32, 58282, Outbound, C:\Program Files\ESET\ESET Smart Security\ekrn.exe,
Detection, 3/21/2016 6:30 PM, SYSTEM, XXXXADMIN-PC, Protection, Malicious Website Protection, IP, 91.212.124.32, 58282, Outbound, C:\Program Files\ESET\ESET Smart Security\ekrn.exe,
(end)

 

Cheers everyone!

Edited March 21, 2016 by spc3rd

[itman 1,593]

What you see in your last posting is two real time security solutions at conflict with each other. In this case, MBAM is blocking Eset's outbound connections. 

 

My opinion and that of others is that:

 

1. Only one security solution should be running in real time. In this case, I would recommend turning off MBAM's real time protection and use it as a second opinion off line malware scanner.

2. If option 1 is not acceptable, then you need to set exclusions in Eset for MBAM and exclusions in MBAM for Eset. This might or might not resolve the conflict.

 

You seem to be getting connections from unwanted places. A few of these every once in a while is normal. If they start occurring in multiple frequencies on a daily basis, it might be time to time to post what is happening in the Eset Malware Finding and Cleaning section.

Edited March 22, 2016 by itman

[spc3rd 9]

Thank you for your follow-up, itman!

 

     With regard to the options you mentioned, I am hesitant to disable MBAM'S real-time scanning.  Over the past several years, I've noted consistent recommendations in some well-respected security forums that a "layered approach" to one's computer security is preferred.  (These same forums are also ones where ESET has been highly-recommended).  This 'layered approach' would seem logical to me, especially since there was a time (several years ago) when I relied solely upon one particular Internet Security Suite program to protect my computer, only to get hit 4 times in a 6-week period with one of these fake anti-malware/scareware type programs.  Several months later, an SAS scan quarantined a Sirefef trojan which managed to delete my ipsec.sys file. 

 

I realize there is no single AV, Internet Security Suite, anti-malware program, or any specific combination of programs that will always be 100% effective in blocking all malware activity. 

So, what I have done is implement part of one of your recommendations, namely to place a Web Exclusion within MBAM for the ESS ekrn.exe file, since that is the one MBAM has been intermittently (i.e. not an 'every-day event') blocking outbound connection attempts from.

 

Hopefully, that will be sufficient. 

 

Thanks very much for all your help & the info you provided!

[ken1943 22]

I do mutual exclusions for all my security programs.

[spc3rd 9]

Much obliged for your feedback, Ken!

 

Pete