ESS4 Firewall IP Question advice needed!!!

Discussion in 'ESET Smart Security' started by thegreatoutlaw, Nov 30, 2011.

Thread Status:
Not open for further replies.
  1. thegreatoutlaw

    thegreatoutlaw Registered Member

    Joined:
    Nov 23, 2007
    Posts:
    75
    I recently had a firmware upgrade on my modem/router. The firewall picked up the network again, I had to re-allow sharing on the network on the PC's and re-allow incoming on ports 137 to get everything working.

    But my question is, I'm getting a firewall popup for application System unknown publisher and its trying to access outbound IPs 72.3.199.16 and 184.106.31.170. It keeps coming up and I'm not sure whether to allow it for good, or block it.

    Any help is appreciated!
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
  3. thegreatoutlaw

    thegreatoutlaw Registered Member

    Joined:
    Nov 23, 2007
    Posts:
    75
    They popup randomly even when I'm not doing anything. I'm running Malwarebytes now, then I'll do a In-Depth scan with NOD32

    Update: Malwarebytes didn't find anything and I'm running a In-depth NOD32 Scan now. I went ahead and blocked the IP and I see the rule it created. It doesn't have the actual IP in there, so is this rule going to block everything from System with an unknown publisher? It's bugging me that something is trying to access those IPs and I haven't found any infection.
     
    Last edited: Nov 30, 2011
  4. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    What other software is running as those alerts appear (trying to figure out what is calling out)? That rule sounds to wide and might block traffic you need.
     
  5. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    Both of these IP addresses are listed as belonging to Rackspace Hosting. Does that mean anything to you?
     
  6. thegreatoutlaw

    thegreatoutlaw Registered Member

    Joined:
    Nov 23, 2007
    Posts:
    75
    I found that out too while doing some research with google. But no Rackspace Hosting means nothing to me, I just started getting these popups today, and coincidently after a modem/router firmware upgrade last night.
     
  7. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    As you say, it may well be connected to the hardware upgrade if that's the only thing that's changed, but it's advisable to block just these two IP addresses, at least temporarily, until you've managed to ascertain the reason for the connections.

    Does blocking the connections have any adverse effects on the normal operation of the system? If no, then leave them blocked for the moment; if yes, then blocking them may help to pinpoint the cause.
     
  8. thegreatoutlaw

    thegreatoutlaw Registered Member

    Joined:
    Nov 23, 2007
    Posts:
    75
    Sounds good, but it sure does bug me that I have no idea what is trying to call out
     
  9. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,728
    Location:
    Texas
    Try Autoruns to see what is running.
     
  10. thegreatoutlaw

    thegreatoutlaw Registered Member

    Joined:
    Nov 23, 2007
    Posts:
    75
    Nice program, I tried it out but didn't see anything suspicious or unknown. I'm so confused because I haven't downloaded anything recently and I keep my protections updated. If its nothing malicious, still wondering why anything on my system would try to communicate with that IP for a company I've never heard of.
     
  11. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,728
    Location:
    Texas
    You did upgrade your router firmware. Did you get the firmware from the router manufacturer?
     
  12. thegreatoutlaw

    thegreatoutlaw Registered Member

    Joined:
    Nov 23, 2007
    Posts:
    75
    Actually the ISP upgraded the firmware in the modem/router and honestly I don't like that they did it without my permission because in my experience sometimes firmware does more harm than good. But apparently it added IPv6 features/additions etc.

    But yes that is the big change and starting today I'm getting these firewall popups and I'm clicking deny, but they seem to come back at intervals regardless of what im doing. All ESET says is that its the application SYSTEM and the publisher is unknown, wish it gave me more information like maybe the .exe file thats wanting to communicate or some more information.
     
    Last edited: Dec 1, 2011
  13. thegreatoutlaw

    thegreatoutlaw Registered Member

    Joined:
    Nov 23, 2007
    Posts:
    75
    I just have no idea. My PC is clean and all that has happened since last night was a firmware upgrade to my modem/router which the ISP did. I don't even know what Rackspace Hosting is until I visited their website. Anyone have any ideas? :doubt:
     
  14. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    is it always the same 2 addresses ? just to confirm after you login to your machine and leave it idle does it alert ?. create another login/profile and check there
     
  15. thegreatoutlaw

    thegreatoutlaw Registered Member

    Joined:
    Nov 23, 2007
    Posts:
    75
    Well knock on wood but starting today I haven't had those addresses popup in ESET Firewall. Maybe it was my modem/router/ISP causing it? Is that unusual?
     
Thread Status:
Not open for further replies.