RobbK 0 Posted June 12, 2016 Share Posted June 12, 2016 While idling i'm seeing unusual DNS requests without subsequent connection originating from ekrn.exe every 5 minutes. I activated the program and updates are coming through just fine, so there is no problem with connection to eset servers as far as I can tell. It did start happening after activation process, which would make sense if there was a subsequent connection (validation checks etc), but i'm seeing no such thing in my firewall logs. I usually disable LiveGrid and automatic update checks, but I also tested with every module in GUI disabled. Is this intended behavior? (Win7 64bit, v. 9.0.381.1) Link to comment Share on other sites More sharing options...
Administrators Marcos 5,298 Posted June 13, 2016 Administrators Share Posted June 13, 2016 I'd suggest checking it with LiveGrid disabled. The protection status turns red if LiveGrid is disabled, is that the case? Of course, disabling LiveGrid is not recommended as it substantially deteriorates protection and cleaning capabilities of the product. Link to comment Share on other sites More sharing options...
itman 1,758 Posted June 13, 2016 Share Posted June 13, 2016 While idling i'm seeing unusual DNS requests without subsequent connection originating from ekrn.exe every 5 minutes. I assume you are referring to outbound port 53 connections? The only outbound connections on port 53 should be to your ISP or third party DNS, if so configured, servers. Link to comment Share on other sites More sharing options...
RobbK 0 Posted June 13, 2016 Author Share Posted June 13, 2016 I'd suggest checking it with LiveGrid disabled. The protection status turns red if LiveGrid is disabled, is that the case? Of course, disabling LiveGrid is not recommended as it substantially deteriorates protection and cleaning capabilities of the product. With ALL modules and scheduled tasks disabled the result is same - a DNS query every 5 minutes. While idling i'm seeing unusual DNS requests without subsequent connection originating from ekrn.exe every 5 minutes.I assume you are referring to outbound port 53 connections?The only outbound connections on port 53 should be to your ISP or third party DNS, if so configured, servers. Yes, of course. I should have communicated better.The point is, ekrn.exe queries DNS server every 5 minutes, but doesn't establish connection to any address, which seems a lot like a bug. This behavior is more apparent in my case, as i have DNS caching service disabled on my machine (caching done by server). I believe on most PCs with caching enabled these queries are obscured by more frequent, but less evident calls to DNS cache. Link to comment Share on other sites More sharing options...
itman 1,758 Posted June 13, 2016 Share Posted June 13, 2016 The point is, ekrn.exe queries DNS server every 5 minutes How are you determining this is occurring? You using Wireshark or the like? Link to comment Share on other sites More sharing options...
RobbK 0 Posted June 13, 2016 Author Share Posted June 13, 2016 The point is, ekrn.exe queries DNS server every 5 minutesHow are you determining this is occurring? You using Wireshark or the like?I'm using Outpost Firewall to monitor network activity and access to DNS api. Link to comment Share on other sites More sharing options...
itman 1,758 Posted June 14, 2016 Share Posted June 14, 2016 This behavior is more apparent in my case, as i have DNS caching service disabled on my machine Eset has botnet protection. You could try to temporarily disable that and see if that stops the DNSQuery API activity. Also the network IPS protection has a DNS poisoning setting. If enabled, you could again temporarily disable that and see if that stops the DNSQuery API activity. At least, this will identify that Eset feature responsible. My guess is Eset's botnet protection is doing the activity because you disabled Win's DNS catching service. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,298 Posted June 14, 2016 Administrators Share Posted June 14, 2016 You could capture the network communication using Wireshark and send me the log for a brief check. Link to comment Share on other sites More sharing options...
RobbK 0 Posted June 15, 2016 Author Share Posted June 15, 2016 (edited) Eset has botnet protection. You could try to temporarily disable that and see if that stops the DNSQuery API activity. Also the network IPS protection has a DNS poisoning setting. ESET Antivirus here, i probably should have mentioned that. Aren't those ESS exclusive features?Interestingly enough, enabling DNS cache service produces same behavior and there are no entries added to the cache, so no address is resolved. It seems ekrn.exe is simply probing DNS server every 5 minutes with a packet of the same size. Could it be some crude way to determine connectivity of the machine? If so, i'm not particularly fond of it. Edited June 15, 2016 by RobbK Link to comment Share on other sites More sharing options...
itman 1,758 Posted June 15, 2016 Share Posted June 15, 2016 Eset has botnet protection. You could try to temporarily disable that and see if that stops the DNSQuery API activity. ESET Antivirus here, i probably should have mentioned that. Aren't those ESS exclusive features? The botnet protection is part of the HIPS features. So NOD32 has that protection. Temporarily disable that and see if the DNSQuery API activity stops. Link to comment Share on other sites More sharing options...
itman 1,758 Posted June 17, 2016 Share Posted June 17, 2016 I just checked the API's that ekrn.exe uses in ver.8. Zip reference to DNSQuery. Might have been added in ver.9 but I am a bit skeptical of this. Link to comment Share on other sites More sharing options...
Recommended Posts