Page 1 of 1

eset smart security - hidden icmp tunnel

PostPosted: 27.10.2018, 16:53
by rog
Alert on eset smart security told that wsusoffline creating hiddent icmp tunnel.
It is generating always when i start UpdateInstaller.exe
I need informartion what data is send to 185.160.0.158 ?

Re: eset smart security - hidden icmp tunnel

PostPosted: 27.10.2018, 21:15
by aker
UpdateGenerator or UpdateInstaller? (please double check)

The Installer does not contact the internet in any way (or at least it shouldn't) [Source code for version 11.5: http://trac.wsusoffline.net/trac.fcgi/browser/tags/wsusoffline11.5/client/UpdateInstaller.au3].
It could be some misbehaviour of AutoIt3, but I don't know any reason, why it should try to connect 185.160.0.158 (== wsusoffline.net).

Could you dowload wsusou's source code from here, manually compile it using "CompileAutoItScripts.cmd" and try, if it still tries to connect to the internet?

Re: eset smart security - hidden icmp tunnel

PostPosted: 28.10.2018, 02:14
by boco
UpdateInstaller, when started, makes a short ping to wsusoffline.net (185.160.0.158), to check if you are online. It shows (or hides) the Donate button if you are (not).


Around line 746:
If (MyIniRead($ini_section_misc, $ini_value_showdonate, $enabled) = $disabled) OR (Ping($wou_hostname) = 0) Then
GUICtrlSetState(-1, $GUI_HIDE)
EndIf


@WSUSUpdateAdmin: Could you nest that IF statement? If the user has ShowDonate option in INI file set to 0, there's no need to ping at all.

I could not detect other places where it pings. Pinging by design does not send or receive data beyond the limited information in the Ping and Pong packets and what the TCP/IP protocol requires.

Re: eset smart security - hidden icmp tunnel

PostPosted: 05.11.2018, 13:31
by rog
UpdateInstaller.exe

Where i can test options ShowDonate to disable this ?

Re: eset smart security - hidden icmp tunnel

PostPosted: 05.11.2018, 13:57
by boco
The Ping can not be disabled, currently, in the official build.

You can, however, change the mentioned lines from

Code: Select all
If (MyIniRead($ini_section_misc, $ini_value_showdonate, $enabled) = $disabled) OR (Ping($wou_hostname) = 0) Then
GUICtrlSetState(-1, $GUI_HIDE)
EndIf


to

Code: Select all
If (MyIniRead($ini_section_misc, $ini_value_showdonate, $enabled) = $disabled) Then
GUICtrlSetState(-1, $GUI_HIDE)
EndIf


Then, you need to manually compile the UpdateInstaller.au3 file to an .EXE file, using the AutoIt3 suite.


Then, add the following to the UpdateInstaller.ini file:

Code: Select all
[Miscellaneous]

(ONLY if it does not exist yet!)

and, under it:
Code: Select all
showdonate=disabled

Re: eset smart security - hidden icmp tunnel

PostPosted: 05.11.2018, 14:25
by rog
thank You.

Re: eset smart security - hidden icmp tunnel

PostPosted: 30.11.2018, 17:09
by WSUSUpdateAdmin
Hi.

boco wrote:
If (MyIniRead($ini_section_misc, $ini_value_showdonate, $enabled) = $disabled) OR (Ping($wou_hostname) = 0) Then
GUICtrlSetState(-1, $GUI_HIDE)
EndIf

@WSUSUpdateAdmin: Could you nest that IF statement? If the user has ShowDonate option in INI file set to 0, there's no need to ping at all.


It should not be necessary to nest the IF statement, boco.
I'm quite sure that all modern compilers will short circuit AND and OR statements, so if you disable the donation button by the INI file, the first condition is TRUE and therefore the whole OR expression will be, so there's no need to evaluate the second part of the OR, and so there should never be any ping with the existing code as well.

Cheers
Torsten

Re: eset smart security - hidden icmp tunnel

PostPosted: 01.12.2018, 05:06
by boco
Strange, just tested again. No ping. Last time I checked, it got the hit on the firewall.

Case closed.