Mysterious DNS lookups to *.eset.rs

Hi, I have Eset Smart Security Suite ver. 5.0.93.0

I have recently noticed some very strange traffic on my machine. Every time I receive an email (I use thunderbird) there is a DNS name lookup to an invalid name in the domain "eset.rs"

Examples:

bfgbei6uzxdqynl6wsqq4.gbhchess.com.mknd7yrzmpfmfmuu.a.h.eset.rs
blivlww53ol46i4vlxy2nvsm4baup2tn7a.gmail.com.mknd7yrzmpfmfmuu.a.h.eset.rs


The query is coming from 127.0.0.1:59836. Using tcpview, I see that port is associated with "C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe"


I thought it might have something to do with the antispam, so I tried disabling that but the requests still happen.

Can someone tell me what this is? Has my antivirus been hijacked by some malware?


--------

whois on that domain doesn't look kosher at all:

Domain name: eset.rs.
Domain status: Active
Registration date: 01.10.2010 09:40:06
Modification date: 09.09.2011 17:34:57
Expiration date: 01.10.2013 09:40:06
Registrar: NINET Company d.o.o.

Owner: ESET, spol. s r.o.
Address: Einsteinova 24, Bratislava, Slovakia
ID Number:
Tax ID:

DNS: 89.202.157.228.rev.eset.com. - 89.202.157.228
DNS: 62.67.184.71.rev.eset.com. - 62.67.184.71

Administrative contact: Bratislav Krstić, Ninet Company
Address: Bul. Nemanjića TPC Zona III K6, Niš, Srbija

Technical contact: Marek Vymetak

 

Can someone suggest a better place to ask this question - I'm really concerned about this.

 

Well, I guess my notion that a forum linked from the ESET support page and labelled "Official ESET Support Forum" would actually have some ESET support personnel reading and responding.

I guess it's time to wipe the machine and revert to a pre-problem backup, then dump ESET for some product that actually has customer support.

I'll be sure to tell everyone I know not to use ESET in the future.

(I suppose it's too much to expect I can get any kind of refund for this piece of crap.)

 

Hello,

My understanding is those are fingerprint requests made by ESET Smart Security to determine whether a received message is spam or not. Disabling the the antispam option means that ESET Smart Security does not take action on spam; messages would still be fingerprinted, though.

Regards,

Aryeh Goretsky

 

Thanks for the reply, but I have to say the response makes me even more uncomfortable with your product.

1) Why are you using this covert back-channel through DNS to send fingerprints?

2) Why send those requests to this questionable domain rather than your official domain?

3) Why continue harvesting information (and leaking it to anyone listening in the path between PC and DNS server) about every email received even when spam filtering is disabled?

At the very best these are poor policy choices, at worst they show pernicious intent.

In light of all this, I have uninstalled ESET Smart Security and I will not use any of your products ever again, and I will be advising everyone I know not to trust your products.

Regards,
Jan