Mysterious DNS lookups to *.eset.rs

Discussion in 'ESET Smart Security' started by x_y_no, Oct 21, 2011.

Thread Status:
Not open for further replies.
  1. x_y_no

    x_y_no Registered Member

    Joined:
    Oct 21, 2011
    Posts:
    4
    Hi, I have Eset Smart Security Suite ver. 5.0.93.0

    I have recently noticed some very strange traffic on my machine. Every time I receive an email (I use thunderbird) there is a DNS name lookup to an invalid name in the domain "eset.rs"

    Examples:

    bfgbei6uzxdqynl6wsqq4.gbhchess.com.mknd7yrzmpfmfmuu.a.h.eset.rs
    blivlww53ol46i4vlxy2nvsm4baup2tn7a.gmail.com.mknd7yrzmpfmfmuu.a.h.eset.rs


    The query is coming from 127.0.0.1:59836. Using tcpview, I see that port is associated with "C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe"


    I thought it might have something to do with the antispam, so I tried disabling that but the requests still happen.

    Can someone tell me what this is? Has my antivirus been hijacked by some malware?


    --------

    whois on that domain doesn't look kosher at all:

    Domain name: eset.rs.
    Domain status: Active
    Registration date: 01.10.2010 09:40:06
    Modification date: 09.09.2011 17:34:57
    Expiration date: 01.10.2013 09:40:06
    Registrar: NINET Company d.o.o.

    Owner: ESET, spol. s r.o.
    Address: Einsteinova 24, Bratislava, Slovakia
    ID Number:
    Tax ID:

    DNS: 89.202.157.228.rev.eset.com. - 89.202.157.228
    DNS: 62.67.184.71.rev.eset.com. - 62.67.184.71

    Administrative contact: Bratislav Krstić, Ninet Company
    Address: Bul. Nemanjića TPC Zona III K6, Niš, Srbija

    Technical contact: Marek Vymetak
     
  2. x_y_no

    x_y_no Registered Member

    Joined:
    Oct 21, 2011
    Posts:
    4
    Can someone suggest a better place to ask this question - I'm really concerned about this.
     
  3. x_y_no

    x_y_no Registered Member

    Joined:
    Oct 21, 2011
    Posts:
    4
    Well, I guess my notion that a forum linked from the ESET support page and labelled "Official ESET Support Forum" would actually have some ESET support personnel reading and responding.

    I guess it's time to wipe the machine and revert to a pre-problem backup, then dump ESET for some product that actually has customer support.

    I'll be sure to tell everyone I know not to use ESET in the future.

    (I suppose it's too much to expect I can get any kind of refund for this piece of crap.)
     
  4. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    My understanding is those are fingerprint requests made by ESET Smart Security to determine whether a received message is spam or not. Disabling the the antispam option means that ESET Smart Security does not take action on spam; messages would still be fingerprinted, though.

    Regards,

    Aryeh Goretsky
     
  5. x_y_no

    x_y_no Registered Member

    Joined:
    Oct 21, 2011
    Posts:
    4
    Thanks for the reply, but I have to say the response makes me even more uncomfortable with your product.

    1) Why are you using this covert back-channel through DNS to send fingerprints?

    2) Why send those requests to this questionable domain rather than your official domain?

    3) Why continue harvesting information (and leaking it to anyone listening in the path between PC and DNS server) about every email received even when spam filtering is disabled?

    At the very best these are poor policy choices, at worst they show pernicious intent.

    In light of all this, I have uninstalled ESET Smart Security and I will not use any of your products ever again, and I will be advising everyone I know not to trust your products.

    Regards,
    Jan
     
Thread Status:
Not open for further replies.