Jump to content

ESET 9 DNS Queries


RobbK

Recommended Posts

While idling i'm seeing unusual DNS requests without subsequent connection originating from ekrn.exe every 5 minutes. I activated the program and updates are coming through just fine, so there is no problem with connection to eset servers as far as I can tell.

It did start happening after activation process, which would make sense if there was a subsequent connection (validation checks etc), but i'm seeing no such thing in my firewall logs.

I usually disable LiveGrid and automatic update checks, but I also tested with every module in GUI disabled.

Is this intended behavior? (Win7 64bit, v. 9.0.381.1)

Link to comment
Share on other sites

  • Administrators

I'd suggest checking it with LiveGrid disabled. The protection status turns red if LiveGrid is disabled, is that the case?

Of course, disabling LiveGrid is not recommended as it substantially deteriorates protection and cleaning capabilities of the product.

Link to comment
Share on other sites

While idling i'm seeing unusual DNS requests without subsequent connection originating from ekrn.exe every 5 minutes.

I assume you are referring to outbound port 53 connections?

 

The only outbound connections on port 53 should be to your ISP or third party DNS, if so configured, servers.

Link to comment
Share on other sites

I'd suggest checking it with LiveGrid disabled. The protection status turns red if LiveGrid is disabled, is that the case?

Of course, disabling LiveGrid is not recommended as it substantially deteriorates protection and cleaning capabilities of the product.

With ALL modules and scheduled tasks disabled the result is same - a DNS query every 5 minutes.

While idling i'm seeing unusual DNS requests without subsequent connection originating from ekrn.exe every 5 minutes.

I assume you are referring to outbound port 53 connections?

The only outbound connections on port 53 should be to your ISP or third party DNS, if so configured, servers.

Yes, of course. I should have communicated better.

The point is, ekrn.exe queries DNS server every 5 minutes, but doesn't establish connection to any address, which seems a lot like a bug.

This behavior is more apparent in my case, as i have DNS caching service disabled on my machine (caching done by server). I believe on most PCs with caching enabled these queries are obscured by more frequent, but less evident calls to DNS cache.

Link to comment
Share on other sites

The point is, ekrn.exe queries DNS server every 5 minutes

How are you determining this is occurring? You using Wireshark or the like?

Link to comment
Share on other sites

The point is, ekrn.exe queries DNS server every 5 minutes

How are you determining this is occurring? You using Wireshark or the like?
I'm using Outpost Firewall to monitor network activity and access to DNS api.
Link to comment
Share on other sites

This behavior is more apparent in my case, as i have DNS caching service disabled on my machine

Eset has botnet protection. You could try to temporarily disable that and see if that stops the DNSQuery API activity.

 

Also the network IPS protection has a DNS poisoning setting. If enabled, you could again temporarily disable that and see if that stops the DNSQuery API activity.

 

At least, this will identify that Eset feature responsible. My guess is Eset's botnet protection is doing the activity because you disabled Win's DNS catching service. 

Link to comment
Share on other sites

  • Administrators

You could capture the network communication using Wireshark and send me the log for a brief check.

Link to comment
Share on other sites

Eset has botnet protection. You could try to temporarily disable that and see if that stops the DNSQuery API activity.

Also the network IPS protection has a DNS poisoning setting.

ESET Antivirus here, i probably should have mentioned that. Aren't those ESS exclusive features?

Interestingly enough, enabling DNS cache service produces same behavior and there are no entries added to the cache, so no address is resolved. It seems ekrn.exe is simply probing DNS server every 5 minutes with a packet of the same size.

Could it be some crude way to determine connectivity of the machine? If so, i'm not particularly fond of it.

Edited by RobbK
Link to comment
Share on other sites

 

Eset has botnet protection. You could try to temporarily disable that and see if that stops the DNSQuery API activity.

 

ESET Antivirus here, i probably should have mentioned that. Aren't those ESS exclusive features?

 

The botnet protection is part of the HIPS features. So NOD32 has that protection. Temporarily disable that and see if the DNSQuery API activity stops.

Link to comment
Share on other sites

I just checked the API's that ekrn.exe uses in ver.8. Zip reference to DNSQuery. Might have been added in ver.9 but I am a bit skeptical of this.   

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...