ULAV alert malicious DNS server

martink
martink Posts: 427 Influencer

I've got WIn 10 ver 1083 and Freedome and ULAV on it. That installation gives the following adapter settings

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : home
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
   Physical Address. . . . . . . . . : 00-0C-29-01-E7-AC
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::5d1c:a777:958b:eee1%12(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.10.48(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Saturday, June 16, 2018 12:40:46 PM
   Lease Expires . . . . . . . . . . : Sunday, June 17, 2018 12:41:59 PM
   Default Gateway . . . . . . . . . : 192.168.10.1
   DHCP Server . . . . . . . . . . . : 192.168.10.1
   DHCPv6 IAID . . . . . . . . . . . : 134220841
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-3A-A8-A1-00-0C-29-01-E7-AC
   DNS Servers . . . . . . . . . . . : ::
                                       0.0.0.0
   NetBIOS over Tcpip. . . . . . . . : Enabled

 

Now some time ago I started getting these malicious DNS server alerts from ULAV.

 

DNS_alert.JPG

 

There are tens of them every day.

F-S IS Tech preview and Safe do not show them in events nor messages.

If I wanted to set the DNS server manually to 0.0.0.0 that is not axecpted as the first digit cannot be 0.

 

Why might I get these alerts from ULAV only?

Is there a way to get more information  about the error?

Is that related to the problem I have accessing shares on other PC's in the same lan.

Comments

  • Ukko
    Ukko Posts: 3,611 Superuser

    Hello,

     

    For except any other potential suggestions -> maybe it is possible to try what will be with F-Secure Router Checker:

    https://www.f-secure.com/en/web/home_global/router-checker

     

    Because such 'tool' is also F-Secure opinion about your DNS server configuration.

     

    Thanks!

  • martink
    martink Posts: 427 Influencer

    Thanks  https://community.f-secure.com/t5/user/viewprofilepage/user-id/23391
    Forgot all about that.

    Unfortunately no issues found. 

  • Ukko
    Ukko Posts: 3,611 Superuser

    Hello,

     

    Just interesting:

    does your screenshot with edited view? Or "DNS:" indeed with 'empty' view?

     

    Also, I'm not sure what means such detection - but maybe it is only detection for 'outgoing' connection to untrusted or harmful/suspicious-rated pages (DNS queries). Just like if certain resource is rated as malicious or suspicious and third-party software trying to reach it (for example, as an update process or so).

     

    And if not -> maybe this situation is reason that "DNS Checker" is removed from FS Protection (and maybe stayed with F-Secure ULAV):

    Not sure if it is returned already (did not notice it).

     

    Anyway, good to receive official explanation from F-Secure Teams or F-Secure ULAV team about such notification and potential reasons. Maybe because you noted another troubles with network configurations -> there are certain limitations or inabilities to work properly for ULAV (or even indeed something suspicious with system).

     

    Thanks!

  • martink
    martink Posts: 427 Influencer

    Thanks again Ukko you are the man.

    The display is really like that nothing after DNS:

     

    Yes, you know Windows 10 lets a large number of  programs run in the back group by default.

    After stopping them this afternoon no alerts this far.

     

    The CdfPluginStae.log  has entries like these

    2018-06-16 20:57:14.820 [0a5c.1100] .W: orspCallback st=1 flags=0x5, count=37, cbTimeDiff=1563, url=, SHA1=00913e7544129f58ae1291f25097d87711e39909, safe=80
    2018-06-16 20:57:14.820 [0a5c.1100] .W: orspCallback st=1 flags=0x5, count=37, cbTimeDiff=1547, url=, SHA1=bfaf869ea6a570c1d7b7eb4b82c1865bc04b4b8c, safe=80
    2018-06-16 20:57:14.820 [0a5c.1100] .W: orspCallback st=1 flags=0x5, count=37, cbTimeDiff=1563, url=, SHA1=00913e7544129f58ae1291f25097d87711e39909, safe=80
    2018-06-16 20:57:14.820 [0a5c.1100] .W: orspCallback st=1 flags=0x5, count=37, cbTimeDiff=1547, url=, SHA1=bfaf869ea6a570c1d7b7eb4b82c1865bc04b4b8c, safe=80
    2018-06-16 21:05:12.383 [0a5c.1100] .W: orspCallback st=0 flags=0x8, count=0, cbTimeDiff=1812, url=, SHA1=0000000000000000000000000000000000000000, safe=undefined
    2018-06-16 21:05:12.383 [0a5c.1100] .W: orspCallback st=0 flags=0x8, count=0, cbTimeDiff=1812, url=, SHA1=0000000000000000000000000000000000000000, safe=undefined
    2018-06-16 21:05:12.383 [0a5c.1100] .W: orspCallback st=0 flags=0x8, count=0, cbTimeDiff=1812, url=, SHA1=0000000000000000000000000000000000000000, safe=undefined
    2018-06-16 21:05:12.383 [0a5c.1100] .W: orspCallback st=0 flags=0x8, count=0, cbTimeDiff=1844, url=, SHA1=0000000000000000000000000000000000000000, safe=undefined

     

    My guess is is that the alerts corresponds to the lines have safe=undefined.

    That good enough for me, I'll mark this as solved.

     

     

     

     

     

  • Ukko
    Ukko Posts: 3,611 Superuser

    Hello,

     

    Good that 'alerts' are stopped. I think that noted "safe=undefined" may be about uncategorized or unknown/unrated pages (or maybe certain suspicious .js-files or inability to analyze certain page/resource or it is cached result).

     

    With my manual tries it was possible that 'blocked URLs' (as harmful/unsafe) were visible as another kind of strings under logs (since such information anyway is 'available' under UI with normal situation; as block-event). But maybe I managed to switch 'level' of logs to full-state (not a default).

    If alerts will back -> maybe it is good to re-sure that situation is about potential false positives and there are no any risks that indeed malicious software tries to do something. Maybe exact URL can be visible or it will be possible to troubleshoot further.

     

    Thanks!

     

This discussion has been closed.