always_working
-
Posts
55 -
Joined
-
Last visited
Posts posted by always_working
-
-
Thanks so much for the reply. I've read that link before and after posting and am sure I'm missing something obvious.
Is the problem the fact that I have "Local Address" checked and/or "Any Address" selected in the corresponding field?
That would seem to make sense that it would completely off the network if I (now) understand its usage.
However, if that's the case, why did this packet rule suddenly do so if it never did in the past?
-
Running Kaspersky Premium 21.15.8.493 (a) on Windows 10 Professional x64 Build 19045 Version 22H2.
I created a packet rule over a month ago to block two domains that were attempting to establish insecure connections. Please see the attached screenshot.
As I was still learning to create packet rules in Kaspersky, I was unsure if all fields were set correctly.
Also, a few weeks ago or so, the computer with the packet rules was being disconnected from the network. It would no longer even show as online unless I deactivated the rule.
Did I create the rule incorrectly?
Either way, why would it suddenly disconnect me from the network after weeks of not doing so? I made no changes in that time.
I'd like to learn and understand if I made a mistake in setting the rule and also why it would suddenly knock me off the network.
Any insight is appreciated!
-
As an update, I reached out to Youmail who communicated with Kaspersky, and asked them to stop identifying their app as a possible exploit.
The alert stopped appearing a day or so after.
Thanks again for your assistance!
-
1
-
-
17 hours ago, Flood and Flood's wife said:
Hello @always_working,
Welcome back!
💥Read before you create a new topic! - & post the required information - we should not have to guess OR waste time figuring out basic information you should be providing💥
⚠️When issues are *concerning & potentially time-sensitive* - contact Kaspersky Customer Service - they will give you an almost immediate response & are paid to do so⚠️
My apologies for not providing the basic information initially which I will ensure I do moving forward.
Android One UI 5.1 (Android 13-based)
Youmail version 5.5.0
Kaspersky Premium (Android) version 11.105.4.10750
With respect to Kaspersky (I love their products), I have had much better experiences and more success posting here.
Youmail is the app in question that was just updated to the most recent version. Youmail's not a mail app - it's a call screener to stop robocalls that I use consistently. Seeing this detection on two different phones and reinstalling Youmail doesn't stop it. Running an older version of the same app on a different phone with no such detection.
I don't think the app is malicious but I've also reached out to that company directly and will follow up. I know it's preferable to know that to suppose, but I do think it's being identified as riskware solely due to the permissions it needs and not because it's malicious.
A full scan shows the same detection but nothing else.
Your reply would be appreciated.
-
Hello,
Received this alert when running a scan on my phone - please see the attached screenshot.
I read the article at https://www.bleepingcomputer.com/news/security/mobile-trojan-detections-rise-as-malware-distribution-level-declines/ and my initial reaction is that this app has been noted as one that needs permissions often associated with malicious apps.
I can say that this alert only appeared after updating the app to the most recent version.
Am I correct in my assumption or is it possible that the app has been compromised?
Any help is appreciated as this is concerning to me and potentially time-sensitive. It's actually the first such alert I've received using the app on Android.
-
6 hours ago, Wesly.Zhang said:
Hello,
Blocking Inbound or Outbound (Packet) use in icmp and udp protocol etc. This interception is the occasion for ACL packet filtering. Use it if you control whether a port is accessed by other applications.
If you authorize one application to access the external network through one port, use another.
Regards.
Thanks so much for your reply. It's a little more complicated than I thought!
So the difference is the usage in that it's protocol specific and used to block by port as well as IP and for ACL packet filtering? In contrast, would just block inbound/outbound block all data transmission through that port regardless of protocol type?
Still trying to understand so any elaboration would be appreciated. Perhaps you would be good enough to offer concrete examples of when you might employ one versus the other?
-
The answer is probably simple and obvious, but I'd still like to understand it.
Wouldn't blocking inbound or outbound block everything (i.e. packets) or it just other types of data streams?
Any help so I can know the difference would be appreciated!
-
On 9/5/2023 at 4:31 PM, Schulte said:
Hello @always_working,
this smells like NetBios, an old and nowadays hardly used protocol. Used TCP and UDP on ports 137 and 138, also 139. However, it is partly used by viruses and worms, so it is blocked.
Have you enabled file sharing via SMB on the one computer?Hello,
Could you kindly reply to my last post in this thread? I realize there's a bit to unpack but any insight/direction would be helpful and appreciated so I can figure this out.
-
2 hours ago, Schulte said:
Hello @always_working,
this smells like NetBios, an old and nowadays hardly used protocol. Used TCP and UDP on ports 137 and 138, also 139. However, it is partly used by viruses and worms, so it is blocked.
Have you enabled file sharing via SMB on the one computer?Thanks for your prompt reply. I was learning about name resolution and read that it was advisable to disable LLMNR (as I understand it, it's being phased out in favor of mDNS). I did so via a command line on all network computers.
I would not know how to enable file sharing via SMB but, under advanced sharing settings, both network discovery and file and printer sharing are disabled (for all profiles).
I think what might have happened is that name resolution for the PC in question defaulted to NetBios after the fact (which surprises me because I would think that the computer would still use mDNS for name resolution before doing so once LLMNR was disabled). I can say that NetBios already had a default value of 0 in the registry. However, it was and is set to "default" on the NIC under the WINS tab in the Advanced TCP/IP settings for Internet Protocol version 4.
I also created a new packet rule blocking outbound UDP packets for ports 137 and 138.
Are you saying that the rule is already in place? In looking at (the already established) network rules, I see one that would block inbound UDP traffic on several ports but not outbound.
That's when I started noticing all the outbound UDP traffic being blocked on those ports (mostly 137).
Then I downloaded Glasswire to see what app/process/etc was generating that traffic. That caused even more of the aforementioned blocked traffic. I believe it was associated the the system app (PID 4) and running TCPView showed Kaspersky Lab Launcher was generating some of the outbound traffic as well. So it looked to be the system process, Glasswire, and Kaspersky, namely.
I can also say that the port range (137-139) was and is closed (inbound and outbound) in the router's firewall so I thought that it wouldn't leave the network anyway. Was that a mistaken assumption? How could all that outbound traffic even be generated in the first place with that being the case?
I've since reverted to a restore point and it's no longer happening. Should I avoid Glasswire? I liked the UI and it was helping me to learn networking and understand the network traffic.
Should I disable NetBIOS in the NIC? Should I refrain from making that packet rule again in Kaspersky?
Most importantly, any idea what the heck happened? Did the PC revert to just NetBIOS for name resolution causing all that traffic?
Thanks again for your insight as I'm not sure how I would figure this out otherwise!
-
Hello,
Running Kaspersky Premium on Windows 10.
I was monitoring the network and noticed unexpected traffic to seemingly random IP addresses. This was after setting a packet rule to block such traffic. It appeared that it was name resolution at first until I noticed in the firewall report that there was other outbound UDP traffic blocked on port 137 (and occasionally 138). I only see this on one computer on the network yet the others have the same packet rules in place. Some of the IP addresses are Kaspersky servers so I was wondering if this pertains to Kaspersky Secure Network but then why only on the one computer?
I checked the IPs with virustotal and they don't appear to be malicious but my concern is that there is a trojan or worm as I don't understand why there would be blocked outbound traffic on that port. This happens consistently as soon as I turn on the computer.
Can someone kindly advise what I should be looking at? All Kasperksy scans detects no issues.
-
18 hours ago, always_working said:
I did but I don't fully understand it yet. So blocking inbound or outbound blocks the connection entirely so that no data can pass through whatsoever? Would this be the same as "closing the port" in that direction?
Is that opposed to blocking any data packets in that no connection is allowed at all in the former? Wouldn't that be the same thing really since data packets are so small?
I'm still learning!
Let me rephrase - if one blocks traffic either outbound or inbound, to my current understanding, blocking data packets in that direction would be redundant since traffic is already blocked anyway.
What am I missing? What's the difference between the two?
-
12 minutes ago, harlan4096 said:
Welcome to Kaspersky Community.
Did You check here?
https://support.kaspersky.com/help/Kaspersky/Win21.14/en-US/201830.htm
I did but I don't fully understand it yet. So blocking inbound or outbound blocks the connection entirely so that no data can pass through whatsoever? Would this be the same as "closing the port" in that direction?
Is that opposed to blocking any data packets in that no connection is allowed at all in the former? Wouldn't that be the same thing really since data packets are so small?
I'm still learning!
-
In Kaspersky Premium, when creating a network packet rule, what's the difference between (direction action) outbound or inbound (packet) and just outbound or inbound?
I checked the online documentation and couldn't find a definitive answer.
Thanks for any help!
-
Also, would you be good enough to reply to my post at
Having a difficult time processing this one.
-
Thanks for your reply. I'll do just that.
Is KPlus the same as Premium?
-
1
-
-
Hello, running Kaspersky Premium 21.14.5.462 on Windows 10 Pro.
Seeing a larger number of intrustion events in the router log and I know these are botnets.
If one of these botnets attacks the network successfully, will it show in the Network Attack Blocker report? Is there anything else I can do with Premium to protect against these?
Or is the answer an upgraded security appliance and hardware-based only?
Help would be appreciated as these are stressful for me and the router goes down once a week at this point.
Thanks!
-
This occurred on my cell (Android 13 OS) using Premium. I don't see the version number but just let me know if it's needed and where to look.
Opened the app and at the bottom (half) of the home screen, an image briefly appeared that said nearby share at the top with two contacts below it.
It vanished before I could screenshot it but any idea what could cause this?
There are no issues I know of with my phone and I never use nearby share. It's just perplexing me as I can't understand why that image would briefly appear and why those two contacts specifically would show underneath the nearby share text. It's one of those issues where I hate having to just wonder about it.
Any thoughts would be appreciated!
-
-
I have Premium and it seems that, fairly recently, the Safe Website icon appears only rarely.
I've attached an image as an example. It only seems to show for subdomains above the fold.
This is on all computers and I did uninstall and reinstall the extension.
Is there a fix or a setting of some sort? Am I missing something? It used to show for all safe websites.
-
I got it from here!
Thanks so much for your help Berny and Schulte!
It is appreciated.
-
1
-
-
16 minutes ago, Schulte said:
Hello @always_working,
the domain seems to belong to Microsoft. It keeps popping up in various forums for years, no one really knows what it is used for. Requests to the domain seem to be more often related to Office 365.
Many users have blocked the domain, either by hosts or by firewall. It does not seem to have any negative consequences.I can only assume that with the last Windows update a change was made without adjusting the certificate.
Clarification could possibly bring a request to Microsoft support, but they rarely answer such questions.Thanks for your reply!
I don't have Office 365 but I do have the newest Outlook client. Perhaps that's it since it's just on the one computer.
The latest update would also make sense. In fact, now that you mention it, I did get one of those pop-ups when clicking on "Update" to ensure I had the latest one. I found that odd at the time.
Any thoughts as to the best way to block the domain and related subdomains using Kaspersky Premium? The link above suggests blocking the atmrum.net domain (and related subdomains).
-
1 hour ago, Berny said:
Please see Qualys SSL Labs report → dnsfootprint.com
Certificate name mismatch
We were able to retrieve a certificate for this site, but the domain names listed in it do not match the domain name you requested us to inspect. It's possible that:- The web site does not use SSL, but shares an IP address with some other site that does.
- The web site no longer exists, yet the domain name still points to the old IP address, where some other site is now hosted.
- The web site uses a content delivery network (CDN) that does not support SSL.
- The domain name is an alias for a web site whose main name is different, but the alias was not included in the certificate by mistake.
Thanks again for your continued knowledge and assistance. The other two domains in the events above, though, do show active servers. This also doesn't tell me why I'm getting these related events repeatedly and what it means.
SearchApp.exe is on all Windows Operating Systems, as I understand it, and I don't see such events with these related object names on my other two computers...and I don't like not knowing why it's happening all of a sudden or what it's doing when I didn't change any settings.
-
8 minutes ago, Berny said:
Please see → Certificate verification problem detected
Thank you for sharing that link as it was definitely worth revisiting.
Why do they all pertain to footprintdns all of a sudden, though? What exactly is that domain doing anyway? If it's related to Microsoft DNS tracking, it doesn't make sense to me that such a behemoth would allow invalid certificates for all these related domains. It seems suspect to me and I was initially worried that I had been hacked or something due to the frequency.
I didn't change any settings.
Is it worth trying to block the domains via firewall or otherwise or might that impact OS functionality?
-
Hi all,
I've been getting an increase in these events as of late (including three times in a row nearly back-to-back a few days ago) and the object names all include footprintdns.com.
I get these at seemingly random times and not only when surfing the web. As you can see in the event details included below, the application name is sometimes SearchApp.exe (which shows as Windows OS when the Kaspersky pop-up appears) while others are chrome.exe.
Kaspersky advised me to clear cookies and cache which I've done...but the issue persists. I'm on Windows 10 Pro.
I'd like to understand why I'm getting these. Of course, I want to learn in general but no one seems to really know the exact purpose of these domains exactly. It's been stated that it pertains to Microsoft DNS tracking while it's also been said that it may be related to the Outlook desktop client.
I did find an informative link here:
https://josh.st/2018/07/12/footprint-dns/
Is it worth blocking the atmrum.net domain (and related subdomains) as referenced at the above link to reduce these events or will this negatively impact the OS functionality somehow?
Either way, does anyone know why one would suddenly start getting so many of these and what they mean? I spent some time learning about and have a general understanding of the event type itself...but I don't fully understand it. I also don't know why they would be so frequent all of a sudden.
Lastly, is the safest course of action to "ignore and remember"? I've read conflicting views on this as well. It doesn't seem wise to add to exclusions.
Can anyone with some more knowledge perhaps help explain this? I've spent a fair amount of time on this but am hoping for some clarification.
As mentioned, some example events are below.
Any thoughts would be sincerely appreciated!
Event: SSL connection with invalid certificate detected
User type: Not defined
Application name: SearchApp.exe
Application path: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy
Component: Safe Browsing
Result description: Blocked
Object name: tring.clo.footprintdns.com
Reason: Invalid certificate name. The name is not included in the list of allowed names or is explicitly excluded from it.Event: SSL connection with invalid certificate detected
User type: Not defined
Application name: SearchApp.exe
Application path: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy
Component: Safe Browsing
Result description: Blocked
Object name: moiafdaws.clo.footprintdns.com
Reason: Invalid certificate name. The name is not included in the list of allowed names or is explicitly excluded from it.Event: SSL connection with invalid certificate detected
User type: Not defined
Application name: chrome.exe
Application path: C:\Program Files\Google\Chrome\Application
Component: Safe Browsing
Result description: Blocked
Object name: dnsfootprint.com
Reason: Invalid certificate name. The name is not included in the list of allowed names or is explicitly excluded from it.
Kaspersky Premium - Creating Packet Rules to Block Domains
in Kaspersky: Basic, Standard, Plus, Premium
Posted
"completely disconnect my computer from the network"