Welcome! Log In Create A New Profile

Advanced

Peerblock allows contact by KAV 2014

Posted by yynxs 
Peerblock allows contact by KAV 2014
April 21, 2015 11:47AM
I use Peerblock to block all the web, especially Google, Twitter, Facebook, et al, scripts injected by the web pages run by the lazy to track my web usage. For all purposes so far, it provides the most privacy and security especially using programs such as KAV 2014, which as you see from the attached .jpg contacts Kaspersky constantly to report my whereabouts on the web (presuming they say its to check the safety of the web site). I block those Kaspersky cloud web addresses until I need to update the AV definitions, update them, then go back to stopping the reporting.

As you can see from the .jpg, a new connection that Peerblock does not block has appeared. It is an outgoing port 443 connection to 62.128.100.nn-62.128.100.191 range that is assigned to Linx in the Ukraine. I went to KAV web site to inquire about this and found the Kaspersky Forums are 62.128.100.200. Internal port is in the high 50000s with no process identified. Some whois sleuthing found a couple of the other addresses in this range are listed with Kaspersky.

I've scanned with KAV and Malwarebytes Premium. Neither reported root kits nor malware found. I've written specific rules in my own permblock lists to block those addresses with no joy. I've clicked individually on each connection as it occurs to block it, the next time its called the connections goes through even though I can see the address in the connection block list. I've thoroughly checked all my own allowed addresses for anything close to that range. There are none. I downloaded and installed new lists from Iblocklists and opened all the files and checked for that address range. The range is not blocked by any of them and there are no other references which might "allow.

I turned to windows firewall and created rules to block those ranges in and out on all ports. The connection is not blocked.

While waiting for permission to post here, I contacted Kaspersky about the connections and received a reply that says remove Malwarebytes because it contflicts with KAV, obviously something I would be loathe to do since without being able to depend on Peerblock for privacy, I would be open to the web or at least KAV installation of what they want.

So I told you all that, to ask, how can I get Peerblock to stop UDP and TCP connections through port 443 to Kaspersky (or any other) range?
Attachments:
open | download - KAV Log Check.jpg (306 KB)
Re: Peerblock allows contact by KAV 2014
April 24, 2015 04:41AM
avatar
Well this is another common problem that users get using Peerblock loaded with free blacklists.
So again , you're using a blacklist loaded into Peerblock where that range , a false positive, is added and instead it should not.
Ask to who maintains the ipfilter that you use to load into Perblock to remove it.
That's all.
Re: Peerblock allows contact by KAV 2014
April 24, 2015 04:01PM
Actually, no. As I said in my post above: "...I downloaded and installed new lists from Iblocklists and opened all the files and checked for that address range. The range is not blocked by any of them and there are no other references which might "allow. ..."

e.g. I 'RTFM" and found I can get to the those lists with 7zip and edit them and put them back with the edits. Its not recommended because the next time you update, the list is overwritten by the new list, but nothing is hidden if you're willing to look.

The Ukraines range 62.128.100.0-62.128.100.199 is not mentioned in the iblock lists, nor any list on my system allowing. They are in my Permblocks and do not work there.

I did find a workaround using Proxomitron and URL blocking but each address has to be hand typed and entered individually. Currently its working, no contacts through Port 443 that I can see with either Peerblock or TCPview.

Interestingly, KAV responded to those address blocks by opening a whole new range in the UK. Prior to this, my system (nor I) knew Kaspersky had registered URLs there. Probably more out there "in the cloud" but I'm paying closer attention now so I'm not as worried. The new addresses in the UK are still not blockable by Peerblock, but hand entering gets them with Proxomitron. I'm keeping Proxo's log window open and reviewing but its egregiously tedious. So far no new problem links.

Oh, there were some Port 137-139 occurrences to the same Ukraine range. A post to Techsupportforums.com kinda pointed me to check that out and I found IPV4 on my network card was still using Netbios over TCP in the default load. Changing that, there are no new occurences of Ports 137-139 in Peerblock logs. Might want to check your own systems for that. Apparently its an imbedded dinosaur egg from the XP era. It's also imbedded in wifi adapters.

I did do some hour long attempts to block that range in ISP router. Every time I put in a 443 filter, to that range or all ranges, other software broke and timed out. I suspect KAV may be using an internal proxy for filtering web connections but that is pure no knowledge speculation. They broke with KAV active and shut down.

As I mentioned above, Peerblock is still the best there is in allowing me to monitor and deal with privacy on the web. Even having to deal with the good guys in my antivirus, Peerblock lets me know what is going on and used to let me easily control it. I'm hoping someone can let me get that convenience back
Re: Peerblock allows contact by KAV 2014
April 24, 2015 04:09PM
Sorry for two posts same subject. I forgot to mention they are not "...false positives..". TCPview from Microsoft shows the connections occurring and timing out and dropping off. Unlike Peerblock, with a 1 sec refresh rate and no log, TCPview must be watched constantly, but the connections are there.
Re: Peerblock allows contact by KAV 2014
July 12, 2015 07:19PM
I'm writing this in July and the main furor has passed and Kaspersky has admitted they've been hacked (hopefully by a nation state and not some guy with skillz). [www.pcmag.com]

When I originally wrote this post in April, Peerblock was telling me something was going on with Kaspersky web sites connections and it wasn't being controlled. I told Kaspersky about it in a help request and in their arrogance, the comments were dismissed.

In June it comes out someone was messing around there for months and may have compromised users through the Kaspersky products. I'm probably one of them until I got a handle on the workaround (or they just went away because I'm nobody).

The come away with lesson though, is Peerblock was giving a warning for those who pay attention. Thank you again for writing it.
Sorry, only registered users may post in this forum.

Click here to login