Jump to content

ESS is connected to an unknown server


Recommended Posts

Today, through the firewall logs I saw that the ESS is connected to an unknown server that is not used by your company.

 

 

104.81.60.80

 

What is the ip address and why it is connected to the ekrn.exe?

Link to comment
Share on other sites

  • Administrators

That's an Akamai server's IP address. ESET does not use any servers hosted at Akamai. Couldn't it be that you are using Windows XP? In such case, ekrn would be used as a local proxy for http traffic so any http communication would appear to be initiated by ekrn.

Link to comment
Share on other sites

Are you using any other software that uses a proxy server such as AdGuard for example?

Edited by itman
Link to comment
Share on other sites

My first question is why are you seeing that connection in the Eset firewall log? Are you logging all firewall activity? The only thing that should be in the log are  blocked connections.

 

Best you post a copy of this log entry. If you mouse right click on the entry, you can copy it to the clipboard. Then paste same in your forum reply.

Link to comment
Share on other sites

Firewall has blocked outgoing call ekrn.exe to the Akamai server. Logs are cleaned every 24 hours. So give them I can not. You do not have enough of my words? I have blocked already all connections for ekrn.exe except updates and activation.

 

PS: In the two weeks that I have been using the new firewall I'm just horrified scale leak of information from the computer. The term "personal computer" is not applicable to computers with Windows 10. I will soon migrate to GNU\Linux. There are more serious about privacy.

Link to comment
Share on other sites

  • Administrators

Firewall has blocked outgoing call ekrn.exe to the Akamai server. Logs are cleaned every 24 hours. So give them I can not. You do not have enough of my words? I have blocked already all connections for ekrn.exe except updates and activation.

 

PS: In the two weeks that I have been using the new firewall I'm just horrified scale leak of information from the computer. The term "personal computer" is not applicable to computers with Windows 10. I will soon migrate to GNU\Linux. There are more serious about privacy.

 

Don't forget to permit communication with LiveGrid servers, otherwise you won't be protected to the maximum possible extent against new borne threats. For a list of servers that ESET products communicate with, see hxxp://support.eset.com/kb332/.

Link to comment
Share on other sites

For what it is worth, I have noticed similar activity from ekrn.exe as shown in the below TCPView screenshot. This connection manifests itself when a new HTTPS web page connection is made. Ekrn.exe dials out to Eset servers to perform SSL certificate pinning validation since I have SSL protocol scanning enabled. A short time thereafter, the Eset connections go into a wait state since they are no longer needed. It is a this point the connection to my ISP provider web page servers appear for the same previous Eset connections. I don't believe any physical connection actually exists at this point.  

 

post-6784-0-18144500-1467060175_thumb.png

Edited by itman
Link to comment
Share on other sites

Akamai is a well known company for hosting software updates and various other stuff. It is also a "man in the middle" for many

companies with no bad intentions.

 

Could be some software is using them for updates and to pass information to that company.

Edited by ken1943
Link to comment
Share on other sites

  • ESET Staff

There are two reasons ekrn.exe might make connections to servers that are not operated by ESET if you have TLS filtering enabled. First when a browser tries to establish a TLS connection, ESET Security needs to decide if it will filter, block or leave the connection untouched. This decision is in part based on the certificate the server would present if the connection was to proceed, which is not available yet. To solve this problem, ekrn.exe opens a separate connection and requests the certificate, which allows it to make the right decision in the main connection. This certificate is then cached so that the extra connection is not needed later which minimizes performance impact. Doing this is necessary to implement certificate exclusions (e.g. F5 -> Web and email -> SSL/TLS -> Exclude communication with trusted domains, or storing a certificate with Access set to Allow or Block).

 

Second reason is related to the fact that ESET Security needs to verify the validity of the certificate presented by the server. Online communication is a regular part of such verification (see https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol). Doing this is necessary to make sure that no attacker hijacked the connection in transit since your browser won't see the original certificate.

 

Please note that in both cases ekrn.exe sends only what a browser would send if ESET Security was not installed. In a way ekrn.exe acts on behalf of the browser. You can verify this by capturing the communication using wireshark and analyzing it (the initial part of TLS connection that ekrn.exe does in case 1 is not encrypted, and OCSP is not encrypted at all since it relies on digital signatures).

Link to comment
Share on other sites

This certificate is then cached so that the extra connection is not needed later which minimizes performance impact.

MMx - thanks for the detailed explanation which verifies what I have observed using Smart Security w/SSL protocol scanning enabled. 

 

However I have not observed what I highlighted above using ver. 8. Each time I connect to a HTTPS web site even if it was one I had previously accessed in a browser session, Eset will make a connection to one of its web servers. So the question is where the cached certificate chain info stored? I have the IE11 advanced option of "do not store encrypted files to disk" enabled. Could this be preventing the storing of the certificate chain data?

Edited by itman
Link to comment
Share on other sites

  • ESET Staff

itman: That shouldn't be happening regardless of version. Can you try if you can replicate it using an utility that accesses only a single page (e.g. wget or curl) and make sure you connect to the same IP each time? It is possible that each time you reload a page a new server is connected due to load balancing.

Link to comment
Share on other sites

itman: That shouldn't be happening regardless of version. Can you try if you can replicate it using an utility that accesses only a single page (e.g. wget or curl) and make sure you connect to the same IP each time? It is possible that each time you reload a page a new server is connected due to load balancing.

OK - after a bit of effort I finally got wget to connect to a site. As you can see from the below screen shots, I made two connections to the web site and TCPView recorded two dial-out connections from ekrn.exe. Hope this is what you requested.

 

post-6784-0-11438900-1467403747_thumb.png

 

post-6784-0-08634800-1467403776_thumb.png

 

 

 

Edited by itman
Link to comment
Share on other sites

Also will add that this morning shortly after initial boot for the day, I observed ekrn.exe dialing out to IP address 198.41.214.185. It was an IP address connection and not by URL. No browser connection was established.

 

The IP address noted is associated with Cloudflare and according to this assessment of it by VirusTotal: https://www.virustotal.com/en/ip-address/198.41.214.185/information/ not the safest place due to the number of malware files associated with it.

 

I see no reason why ekrn.exe should be connecting to this IP address and have blocked the connection.

Edited by itman
Link to comment
Share on other sites

They say "a picture is worth a thousand words." Below is a screen shot of ekrn.exe connecting to Akamai servers. 

 

The sequence of events are:

 

1. Connect to Akamai server on port 80. No inbound or outbound network activity. 

2. Connect to Eset servers.

 

I use VeriSign as my DNS provider. So it is safe to say that Verisign did the routing of the ekrn.exe cert. validation lookup through Akamai backbone servers. Most likely the same applies to my previous my posting about use of Cloudflare servers. The same scenario could also apply to direct use of your ISP DNS servers. I also believe this type of connection routing occurs since I live in the U.S. and Eset servers are in Slovakia which would dictate more intermediary transaction routing methods. So in my case, my gripe about use of Cloudfare servers needs to be directed to VeriSign, my DNS provider.

 

post-6784-0-77349600-1467557446_thumb.png

 

 

Link to comment
Share on other sites

137.135.12.16 IP address does not even belong to you. But the ESS is connected to it many times a day and almost always after power the computer. Without it is impossible even activate your product ESS. Very strange and suspicious that the update download from the Slovakia servers, and this server is located in the USA.


I am more and more inclined to think that your company is involved in a leak of personal information of users from their computers.

Link to comment
Share on other sites

  • ESET Moderators

Hello,

 

to see details about the IP addresses used by ESET and corresponding services please see this KB article hxxp://support.eset.com/kb332/?viewlocale=en_USthe mentioned one is listed there as well.

We have servers located in various hosting locations and we use cloud to host some of the services we provide.

 

Regards, P.R. 

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...