many many connections to localhost by ekrn.exe

Discussion in 'ESET NOD32 Antivirus' started by sirono, Dec 10, 2008.

Thread Status:
Not open for further replies.
  1. sirono

    sirono Registered Member

    Joined:
    Dec 10, 2008
    Posts:
    3
    hi guys,

    i recieve on a regular basis the event log warning with id 4226 "TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts."

    when checking the current connections i found the following:
    netstat -n -o -a:
    Active Connections

    Proto Local Address Foreign Address State PID
    TCP 10.0.0.157:49358 209.85.137.125:5222 ESTABLISHED 4312
    [googletalk.exe]
    TCP 10.0.0.157:49378 207.46.107.28:1863 ESTABLISHED 1088
    [ekrn.exe]
    TCP 10.0.0.157:52688 64.46.37.131:80 TIME_WAIT 0
    TCP 10.0.0.157:52708 64.46.37.131:80 ESTABLISHED 1088
    [ekrn.exe]
    TCP 10.0.0.157:52716 64.46.37.131:80 ESTABLISHED 1088
    [ekrn.exe]
    TCP 10.0.0.157:52724 194.109.192.23:80 ESTABLISHED 1088
    [ekrn.exe]
    TCP 127.0.0.1:30606 127.0.0.1:49377 ESTABLISHED 1088
    [ekrn.exe]
    TCP 127.0.0.1:30606 127.0.0.1:49386 ESTABLISHED 1088
    [ekrn.exe]
    TCP 127.0.0.1:30606 127.0.0.1:52645 TIME_WAIT 0
    TCP 127.0.0.1:30606 127.0.0.1:52655 TIME_WAIT 0
    TCP 127.0.0.1:30606 127.0.0.1:52707 ESTABLISHED 1088
    [ekrn.exe]
    TCP 127.0.0.1:30606 127.0.0.1:52715 ESTABLISHED 1088
    [ekrn.exe]
    TCP 127.0.0.1:30606 127.0.0.1:52723 ESTABLISHED 1088
    [ekrn.exe]
    TCP 127.0.0.1:49377 127.0.0.1:30606 ESTABLISHED 4360
    [msnmsgr.exe]
    TCP 127.0.0.1:49381 127.0.0.1:49387 ESTABLISHED 4360
    [msnmsgr.exe]
    TCP 127.0.0.1:49386 127.0.0.1:30606 ESTABLISHED 4360
    [msnmsgr.exe]
    TCP 127.0.0.1:49387 127.0.0.1:49381 ESTABLISHED 1088
    [ekrn.exe]
    TCP 127.0.0.1:52647 127.0.0.1:30606 TIME_WAIT 0
    TCP 127.0.0.1:52649 127.0.0.1:30606 TIME_WAIT 0
    TCP 127.0.0.1:52657 127.0.0.1:30606 TIME_WAIT 0
    TCP 127.0.0.1:52659 127.0.0.1:30606 TIME_WAIT 0
    TCP 127.0.0.1:52665 127.0.0.1:30606 TIME_WAIT 0
    TCP 127.0.0.1:52691 127.0.0.1:30606 TIME_WAIT 0
    TCP 127.0.0.1:52695 127.0.0.1:30606 TIME_WAIT 0
    TCP 127.0.0.1:52707 127.0.0.1:30606 ESTABLISHED 5904
    [iexplore.exe]
    TCP 127.0.0.1:52715 127.0.0.1:30606 ESTABLISHED 5904
    [iexplore.exe]
    TCP 127.0.0.1:52723 127.0.0.1:30606 ESTABLISHED 1276
    Dnscache
    [svchost.exe]


    why is nod32 building so many connections? could anyone clearify? or am i completly wrong and does this have nothign to do with it?
     
  2. sirono

    sirono Registered Member

    Joined:
    Dec 10, 2008
    Posts:
    3
    kick,
    i uninstalled nod32 and reinstalled it using the newest x64 version...
    but no luck. still the same issue!
     
  3. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Have you enabled something like uTorrent to be scanned by the HTTP scanner perhaps? Anyway, the message comes from MS's crippling TCP/IP functionality deliberately.

    If you are running on Vista, using NOD32 v4 beta would help since it's using Windows Filtering Platform instead.
     
  4. sirono

    sirono Registered Member

    Joined:
    Dec 10, 2008
    Posts:
    3
    i have vista business x64, i have no torrent client or any other p2p client active. as you can see in the list of active connections those are the only one that are internet connected applications...

    is beta v4 stable enough to use in a production environment?
     
  5. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Shrug; beta is beta is beta... give it a try and see for yourself. It's very stable here.

    Other than that, if you don't have any real issues beyond this message, just ignore it. Or you can disable the HTTP scanner altogether and see whether the message goes away or not. If not, then it has nothing to do w/ NOD32 but the built-in limit is simply not enough for your network usage patterns. Good luck with patching then.
     
  6. Stalks

    Stalks Registered Member

    Joined:
    Jan 13, 2008
    Posts:
    28
    The application is using the TCP stack to communicate between threads or processes.

    These connections are perfectly normal and should just be ignored.

    TIME_WAIT connections are not counted towards the TCP connection limit.
     
Thread Status:
Not open for further replies.