eset smart security - hidden icmp tunnel

eset smart security - hidden icmp tunnel

Postby rog » 27.10.2018, 17:53

Alert on eset smart security told that wsusoffline creating hiddent icmp tunnel.
It is generating always when i start UpdateInstaller.exe
I need informartion what data is send to 185.160.0.158 ?
rog
 
Posts: 4
Joined: 18.06.2018, 11:52

Re: eset smart security - hidden icmp tunnel

Postby aker » 27.10.2018, 22:15

UpdateGenerator or UpdateInstaller? (please double check)

The Installer does not contact the internet in any way (or at least it shouldn't) [Source code for version 11.5: http://trac.wsusoffline.net/trac.fcgi/browser/tags/wsusoffline11.5/client/UpdateInstaller.au3].
It could be some misbehaviour of AutoIt3, but I don't know any reason, why it should try to connect 185.160.0.158 (== wsusoffline.net).

Could you dowload wsusou's source code from here, manually compile it using "CompileAutoItScripts.cmd" and try, if it still tries to connect to the internet?
Last edited by aker on 28.10.2018, 09:12, edited 1 time in total.
Reason: Fixed typo
Wer Rechtschreibfehler findet, darf sie behalten oder an den Meistbietenden versteigern. / Everybody finding a misspelling is allowed to sell it.
aker
aker
 
Posts: 3074
Joined: 02.03.2011, 16:32
Location: %SystemRoot%\System32\Boot\winload.efi

Re: eset smart security - hidden icmp tunnel

Postby boco » 28.10.2018, 03:14

UpdateInstaller, when started, makes a short ping to wsusoffline.net (185.160.0.158), to check if you are online. It shows (or hides) the Donate button if you are (not).


Around line 746:
If (MyIniRead($ini_section_misc, $ini_value_showdonate, $enabled) = $disabled) OR (Ping($wou_hostname) = 0) Then
GUICtrlSetState(-1, $GUI_HIDE)
EndIf


@WSUSUpdateAdmin: Could you nest that IF statement? If the user has ShowDonate option in INI file set to 0, there's no need to ping at all.

I could not detect other places where it pings. Pinging by design does not send or receive data beyond the limited information in the Ping and Pong packets and what the TCP/IP protocol requires.
Microsoft update catalog: http://catalog.update.microsoft.com/v7/site/
Windows Install media download: https://support.microsoft.com/en-us/help/15088/windows-create-installation-media
boco
 
Posts: 2031
Joined: 24.11.2009, 18:00
Location: Germany

Re: eset smart security - hidden icmp tunnel

Postby rog » 05.11.2018, 14:31

UpdateInstaller.exe

Where i can test options ShowDonate to disable this ?
rog
 
Posts: 4
Joined: 18.06.2018, 11:52

Re: eset smart security - hidden icmp tunnel

Postby boco » 05.11.2018, 14:57

The Ping can not be disabled, currently, in the official build.

You can, however, change the mentioned lines from

Code: Select all
If (MyIniRead($ini_section_misc, $ini_value_showdonate, $enabled) = $disabled) OR (Ping($wou_hostname) = 0) Then
GUICtrlSetState(-1, $GUI_HIDE)
EndIf


to

Code: Select all
If (MyIniRead($ini_section_misc, $ini_value_showdonate, $enabled) = $disabled) Then
GUICtrlSetState(-1, $GUI_HIDE)
EndIf


Then, you need to manually compile the UpdateInstaller.au3 file to an .EXE file, using the AutoIt3 suite.


Then, add the following to the UpdateInstaller.ini file:

Code: Select all
[Miscellaneous]

(ONLY if it does not exist yet!)

and, under it:
Code: Select all
showdonate=disabled
Microsoft update catalog: http://catalog.update.microsoft.com/v7/site/
Windows Install media download: https://support.microsoft.com/en-us/help/15088/windows-create-installation-media
boco
 
Posts: 2031
Joined: 24.11.2009, 18:00
Location: Germany

Re: eset smart security - hidden icmp tunnel

Postby rog » 05.11.2018, 15:25

thank You.
rog
 
Posts: 4
Joined: 18.06.2018, 11:52

Re: eset smart security - hidden icmp tunnel

Postby WSUSUpdateAdmin » 30.11.2018, 18:09

Hi.

boco wrote:
If (MyIniRead($ini_section_misc, $ini_value_showdonate, $enabled) = $disabled) OR (Ping($wou_hostname) = 0) Then
GUICtrlSetState(-1, $GUI_HIDE)
EndIf

@WSUSUpdateAdmin: Could you nest that IF statement? If the user has ShowDonate option in INI file set to 0, there's no need to ping at all.


It should not be necessary to nest the IF statement, boco.
I'm quite sure that all modern compilers will short circuit AND and OR statements, so if you disable the donation button by the INI file, the first condition is TRUE and therefore the whole OR expression will be, so there's no need to evaluate the second part of the OR, and so there should never be any ping with the existing code as well.

Cheers
Torsten
WSUSUpdateAdmin
Administrator
 
Posts: 2123
Joined: 07.07.2009, 15:38

Re: eset smart security - hidden icmp tunnel

Postby boco » 01.12.2018, 06:06

Strange, just tested again. No ping. Last time I checked, it got the hit on the firewall.

Case closed.
Microsoft update catalog: http://catalog.update.microsoft.com/v7/site/
Windows Install media download: https://support.microsoft.com/en-us/help/15088/windows-create-installation-media
boco
 
Posts: 2031
Joined: 24.11.2009, 18:00
Location: Germany


Return to Verschiedenes / Miscellaneous

Who is online

Users browsing this forum: No registered users and 7 guests