Security threat - um16.eset.com?

Discussion in 'ESET Smart Security' started by DonVa, Oct 30, 2012.

Thread Status:
Not open for further replies.
  1. DonVa

    DonVa Registered Member

    Joined:
    May 11, 2008
    Posts:
    30
    I have just restored my PC.

    On loading Eset istself asked if it should allow um16.eset.com which has ip address 93.184.71.10.

    I have never had this propmpt before on a restore so wonder if this is legitimate especially as it would be Eset Smart security contacting this address (i.e. you would think it would know that it was safe if it was initiating the contact).

    Please can someone advise?

    Version is 4.2.71.2.
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Didn't you play with default system rules and disabled the rule allowing communication for ekrn?
     
  3. DonVa

    DonVa Registered Member

    Joined:
    May 11, 2008
    Posts:
    30
    No

    I have an image that I restored.
    I got this message once restored.
    (I have used the same image before..)

    I'ts all working fine but I just wanted reassurance that um16.eset.com and 93.184.71.10 are legitimate?

    thanks
     
  4. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    619
    Location:
    Sydney Australia
    Yes it's all legitimate. I occasionally get the same (unexpected) firewall alert using v5.2.9.1 when logging in after the PC resumes from sleep mode.
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    You should never be prompted for communication of ekrn with update servers unless a specific rule is created. If you have custom rules created, perhaps you could consider removing them and creating them from scratch if you don't want to use firewall in automatic mode.
     
  6. DonVa

    DonVa Registered Member

    Joined:
    May 11, 2008
    Posts:
    30
    I have not created any custom rules for ekrn.exe.

    I have an Acronis image which has ESET already installed.
    When I restore the image it will obviosuly be out of date as it is a month or so old. Eset just does an automatic update and it's all good.

    Followed the same process today but got the prompt this time which I never had before.

    I only temporarily allowed access.
    I just looked at the rules/zones configuration and there is no rule there for EKRN or anything similar. All rules there are identifiable programs such as Internet Explorer etc. (There is Host Process, Windows logon, Service Controller, and local Authority Process too which are ones I recognise as sysytem required access). Nothing for ESET of EKRN etc.
    I checked the update settings and they are set to automatic..

    Is there some way I can tell that um16.eset.com with IP 93.184.71.10 is a valid ESET update server please? At least I will know I am not allowing access to an invalid server then.
     
  7. DonVa

    DonVa Registered Member

    Joined:
    May 11, 2008
    Posts:
    30
    Stackz - I didn't see your post that is was legitimate till just now.
    thanks

    At least I am not letting access to some rogue server..

    Not sure why I got the message though..
     
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Couldn't it be related to the system resuming from sleep mode then as stackz mentioned? Haven't heard about this issue until now though.
     
  9. DonVa

    DonVa Registered Member

    Joined:
    May 11, 2008
    Posts:
    30
    Possibly but I don't think this is true in my case as there was no sleep.

    Here is how it happened for me:

    1) Load Acronis boot disk
    2) Restore saved image
    3) Load Windows after image restored
    4) Eset immediately connects to do usual update on system start
    5) Get Message asking to allow um16.eset.com


    Never seen 5) before till today.

    I have also used same image and steps before with no message.

    I don't think there was potential for any sleep in this case..
     
  10. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    619
    Location:
    Sydney Australia
    I also vaguely recall receiving the firewall alert like DonVa after restoring a system image.
    At any rate, I reproduced the alert earlier today (after multiple attempts). The alert is for svchost connecting to ESET's update servers on local port: 0, remote port: 0
    Unfortunately, I didn't think to grab a WinPcap log of the connection to verify the actual port numbers.
     
Thread Status:
Not open for further replies.