ULAV alert malicious DNS server

martink

I've got WIn 10 ver 1083 and Freedome and ULAV on it. That installation gives the following adapter settings

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : home
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
   Physical Address. . . . . . . . . : 00-0C-29-01-E7-AC
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::5d1c:a777:958b:eee1%12(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.10.48(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Saturday, June 16, 2018 12:40:46 PM
   Lease Expires . . . . . . . . . . : Sunday, June 17, 2018 12:41:59 PM
   Default Gateway . . . . . . . . . : 192.168.10.1
   DHCP Server . . . . . . . . . . . : 192.168.10.1
   DHCPv6 IAID . . . . . . . . . . . : 134220841
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-3A-A8-A1-00-0C-29-01-E7-AC
   DNS Servers . . . . . . . . . . . : ::
                                       0.0.0.0
   NetBIOS over Tcpip. . . . . . . . : Enabled

 

Now some time ago I started getting these malicious DNS server alerts from ULAV.

 

 

There are tens of them every day.

F-S IS Tech preview and Safe do not show them in events nor messages.

If I wanted to set the DNS server manually to 0.0.0.0 that is not axecpted as the first digit cannot be 0.

 

Why might I get these alerts from ULAV only?

Is there a way to get more information  about the error?

Is that related to the problem I have accessing shares on other PC's in the same lan.

Ukko

Hello,

 

For except any other potential suggestions -> maybe it is possible to try what will be with F-Secure Router Checker:

https://www.f-secure.com/en/web/home_global/router-checker

 

Because such 'tool' is also F-Secure opinion about your DNS server configuration.

 

Thanks!

martink

Thanks  https://community.f-secure.com/t5/user/viewprofilepage/user-id/23391
Forgot all about that.

Unfortunately no issues found. 

Ukko

Hello,

 

Just interesting:

does your screenshot with edited view? Or "DNS:" indeed with 'empty' view?

 

Also, I'm not sure what means such detection - but maybe it is only detection for 'outgoing' connection to untrusted or harmful/suspicious-rated pages (DNS queries). Just like if certain resource is rated as malicious or suspicious and third-party software trying to reach it (for example, as an update process or so).

 

And if not -> maybe this situation is reason that "DNS Checker" is removed from FS Protection (and maybe stayed with F-Secure ULAV):

• https://community.f-secure.com/t5/Home-Security/FS-Protection-PC-Release-204/m-p/101826

Not sure if it is returned already (did not notice it).

 

Anyway, good to receive official explanation from F-Secure Teams or F-Secure ULAV team about such notification and potential reasons. Maybe because you noted another troubles with network configurations -> there are certain limitations or inabilities to work properly for ULAV (or even indeed something suspicious with system).

 

Thanks!

Ukko

Hello,

 

Just as my own feedback:

 

I tried to install F-Secure ULAV. With my experience (Windows 10 64bit 1803) -> I do able to receive such prompts during tries to open known harmful/malicious-rated websites.

 

For example, for unsafe.fstestdomain.com -> F-Secure ULAV will trigger prompt with words like "blocked Unsafe DNS"; while for another (third-party?! or indeed malicious) domains with harmful-rating -> F-Secure ULAV will trigger prompt with words like "blocked Malicious DNS" (as under your screenshot); also with such view for other 'fields' as from your screenshot.

 

What about count "times" -> I manually opened pages; just like 'type URL' to browser's addressbar and 'Enter'. Connection/opening page is prevented or hooked and with such 'idle'-status -> count of 'times' is increasing until page is switched to 'not possible to open website'.

 

So, maybe with your experience there is 'background'-based software with tries to open/connect to harmful-rated websites. I think that exact URL... possible to doublecheck with ULAV logs (ProgramData, FSNID).

 

Thanks!

martink

Thanks again Ukko you are the man.

The display is really like that nothing after DNS:

 

Yes, you know Windows 10 lets a large number of  programs run in the back group by default.

After stopping them this afternoon no alerts this far.

 

The CdfPluginStae.log  has entries like these

2018-06-16 20:57:14.820 [0a5c.1100] .W: orspCallback st=1 flags=0x5, count=37, cbTimeDiff=1563, url=, SHA1=00913e7544129f58ae1291f25097d87711e39909, safe=80
2018-06-16 20:57:14.820 [0a5c.1100] .W: orspCallback st=1 flags=0x5, count=37, cbTimeDiff=1547, url=, SHA1=bfaf869ea6a570c1d7b7eb4b82c1865bc04b4b8c, safe=80
2018-06-16 20:57:14.820 [0a5c.1100] .W: orspCallback st=1 flags=0x5, count=37, cbTimeDiff=1563, url=, SHA1=00913e7544129f58ae1291f25097d87711e39909, safe=80
2018-06-16 20:57:14.820 [0a5c.1100] .W: orspCallback st=1 flags=0x5, count=37, cbTimeDiff=1547, url=, SHA1=bfaf869ea6a570c1d7b7eb4b82c1865bc04b4b8c, safe=80
2018-06-16 21:05:12.383 [0a5c.1100] .W: orspCallback st=0 flags=0x8, count=0, cbTimeDiff=1812, url=, SHA1=0000000000000000000000000000000000000000, safe=undefined
2018-06-16 21:05:12.383 [0a5c.1100] .W: orspCallback st=0 flags=0x8, count=0, cbTimeDiff=1812, url=, SHA1=0000000000000000000000000000000000000000, safe=undefined
2018-06-16 21:05:12.383 [0a5c.1100] .W: orspCallback st=0 flags=0x8, count=0, cbTimeDiff=1812, url=, SHA1=0000000000000000000000000000000000000000, safe=undefined
2018-06-16 21:05:12.383 [0a5c.1100] .W: orspCallback st=0 flags=0x8, count=0, cbTimeDiff=1844, url=, SHA1=0000000000000000000000000000000000000000, safe=undefined

 

My guess is is that the alerts corresponds to the lines have safe=undefined.

That good enough for me, I'll mark this as solved.

 

 

 

 

 

Ukko

Hello,

 

Good that 'alerts' are stopped. I think that noted "safe=undefined" may be about uncategorized or unknown/unrated pages (or maybe certain suspicious .js-files or inability to analyze certain page/resource or it is cached result).

 

With my manual tries it was possible that 'blocked URLs' (as harmful/unsafe) were visible as another kind of strings under logs (since such information anyway is 'available' under UI with normal situation; as block-event). But maybe I managed to switch 'level' of logs to full-state (not a default).

If alerts will back -> maybe it is good to re-sure that situation is about potential false positives and there are no any risks that indeed malicious software tries to do something. Maybe exact URL can be visible or it will be possible to troubleshoot further.

 

Thanks!