Covert Channel exploit in ICMP Packet
I wanted to report this. It seems that the beta is fragmenting communication packets and these are being identified as potential threats by my AV/Firewall (ESET Smart Security). Please note that the Beta Program has been allowed full access to all incoming/outgoing connections within my Firewall by using specific rules, however with each and every update check I get the following blocked reports: FWIW, I would normally allow IP range access but given the differing IP locations I refuse to permit them at the moment. [code] Detected covert channel exploit in ICMP packet 192.168.1.159 221.186.54.37 ICMP Detected covert channel exploit in ICMP packet 192.168.1.159 219.87.150.73 ICMP Detected covert channel exploit in ICMP packet 192.168.1.159 216.228.123.197 ICMP Detected covert channel exploit in ICMP packet 192.168.1.159 202.164.25.17 ICMP Detected covert channel exploit in ICMP packet 192.168.1.159 192.31.14.14 ICMP Detected covert channel exploit in ICMP packet 192.168.1.159 173.227.255.65 ICMP Detected covert channel exploit in ICMP packet 192.168.1.159 216.228.112.5 ICMP Detected covert channel exploit in ICMP packet 192.168.1.159 213.179.145.146 ICMP Detected covert channel exploit in ICMP packet 192.168.1.159 213.1.213.130 ICMP Detected covert channel exploit in ICMP packet 192.168.1.159 211.175.70.66 ICMP Detected covert channel exploit in ICMP packet 192.168.1.159 209.163.206.113 ICMP Detected covert channel exploit in ICMP packet 192.168.1.159 203.18.50.2 ICMP Detected covert channel exploit in ICMP packet 192.168.1.159 202.164.25.17 ICMP Detected covert channel exploit in ICMP packet 192.168.1.159 192.31.14.14 ICMP Detected covert channel exploit in ICMP packet 192.168.1.159 173.227.255.65 ICMP Detected covert channel exploit in ICMP packet 192.168.1.159 209.163.206.113 ICMP Detected covert channel exploit in ICMP packet 192.168.1.159 203.18.50.2 ICMP Detected covert channel exploit in ICMP packet 192.168.1.159 203.117.192.212 ICMP [/code] ^ That's a selection. There's usually 3 or 4 blocked communications pre update request. Any thoughts or suggestions?
I wanted to report this.

It seems that the beta is fragmenting communication packets and these are being identified as potential threats by my AV/Firewall (ESET Smart Security). Please note that the Beta Program has been allowed full access to all incoming/outgoing connections within my Firewall by using specific rules, however with each and every update check I get the following blocked reports:

FWIW, I would normally allow IP range access but given the differing IP locations I refuse to permit them at the moment.

Detected covert channel exploit in ICMP packet	192.168.1.159	221.186.54.37	ICMP			
Detected covert channel exploit in ICMP packet 192.168.1.159 219.87.150.73 ICMP
Detected covert channel exploit in ICMP packet 192.168.1.159 216.228.123.197 ICMP
Detected covert channel exploit in ICMP packet 192.168.1.159 202.164.25.17 ICMP
Detected covert channel exploit in ICMP packet 192.168.1.159 192.31.14.14 ICMP
Detected covert channel exploit in ICMP packet 192.168.1.159 173.227.255.65 ICMP
Detected covert channel exploit in ICMP packet 192.168.1.159 216.228.112.5 ICMP
Detected covert channel exploit in ICMP packet 192.168.1.159 213.179.145.146 ICMP
Detected covert channel exploit in ICMP packet 192.168.1.159 213.1.213.130 ICMP
Detected covert channel exploit in ICMP packet 192.168.1.159 211.175.70.66 ICMP
Detected covert channel exploit in ICMP packet 192.168.1.159 209.163.206.113 ICMP
Detected covert channel exploit in ICMP packet 192.168.1.159 203.18.50.2 ICMP
Detected covert channel exploit in ICMP packet 192.168.1.159 202.164.25.17 ICMP
Detected covert channel exploit in ICMP packet 192.168.1.159 192.31.14.14 ICMP
Detected covert channel exploit in ICMP packet 192.168.1.159 173.227.255.65 ICMP
Detected covert channel exploit in ICMP packet 192.168.1.159 209.163.206.113 ICMP
Detected covert channel exploit in ICMP packet 192.168.1.159 203.18.50.2 ICMP
Detected covert channel exploit in ICMP packet 192.168.1.159 203.117.192.212 ICMP


^ That's a selection. There's usually 3 or 4 blocked communications pre update request.

Any thoughts or suggestions?

#1
Posted 03/10/2013 04:03 PM   
Hi Danlisa, Thanks for reporting this. It appears to be a false positive that has been reported by multiple people with ESET Smart Security, but none using other security programs. As such, I would recommend filing a report directly with ESET and asking them to look into updating their security definitions.
Hi Danlisa,

Thanks for reporting this. It appears to be a false positive that has been reported by multiple people with ESET Smart Security, but none using other security programs. As such, I would recommend filing a report directly with ESET and asking them to look into updating their security definitions.

If I don't keep up on subsequent replies to a thread, please send me a PM, as I monitor a large number of threads across all the forums.

#2
Posted 03/11/2013 11:03 PM   
Hi NVGareth, I apologise, I searched the beta forums for this issue but couldn't find it mentioned. I have submitted log files to ESET (at their request) and they replied this morning to say that the issue is reproducible and that a fix will be released in due course. Keep up the good work. :)
Hi NVGareth, I apologise, I searched the beta forums for this issue but couldn't find it mentioned.

I have submitted log files to ESET (at their request) and they replied this morning to say that the issue is reproducible and that a fix will be released in due course.

Keep up the good work. :)

#3
Posted 03/12/2013 10:07 AM   
Glad to hear it!
Glad to hear it!

If I don't keep up on subsequent replies to a thread, please send me a PM, as I monitor a large number of threads across all the forums.

#4
Posted 03/12/2013 07:30 PM   
I have the same problem. Clearly since this post on March 10, 2013 there still has not been an update from ESET. I am curiouser. I did nothing more then start up my computer and open Windows 7. Are these IP addresses related to the NVIDIA GeForce Experience :: 203.18.50.2 : 173.227.255.65 : 107.1.94.142 I just used NVIDIA GeForce Experience to check for a driver updates. Upon opening to my desktop and then after I clicked on, "Check for Updates" these IP addresses were Detected and recorded as the same covert channel exploits ICMP :: 80.195.69.195 : 221.186.54.37 : 219.87.150.73 Please Validate which are your IP addresses so I can add them to the Firewall Rules and Zones.
I have the same problem. Clearly since this post on March 10, 2013 there still has not been an update from ESET.

I am curiouser. I did nothing more then start up my computer and open Windows 7. Are these IP addresses related to the NVIDIA GeForce Experience :: 203.18.50.2 : 173.227.255.65 : 107.1.94.142

I just used NVIDIA GeForce Experience to check for a driver updates. Upon opening to my desktop and then after I clicked on, "Check for Updates" these IP addresses were Detected and recorded as the same covert channel exploits ICMP :: 80.195.69.195 : 221.186.54.37 : 219.87.150.73

Please Validate which are your IP addresses so I can add them to the Firewall Rules and Zones.

#5
Posted 05/08/2013 02:28 AM   
Same here...problem still not fixed : I get exactly the same ip adresses as mentioned above. 30-6-2013 20:37:36 Gebruikmaking van verborgen kanaal gedetecteerd in ICMP-pakket 192.168.1.114 90.83.94.114 ICMP 30-6-2013 20:37:26 Gebruikmaking van verborgen kanaal gedetecteerd in ICMP-pakket 192.168.1.114 83.150.122.97 ICMP 30-6-2013 20:37:16 Gebruikmaking van verborgen kanaal gedetecteerd in ICMP-pakket 192.168.1.114 83.145.93.99 ICMP 30-6-2013 20:28:42 Gebruikmaking van verborgen kanaal gedetecteerd in ICMP-pakket 192.168.1.114 213.179.145.146 ICMP 30-6-2013 20:28:32 Gebruikmaking van verborgen kanaal gedetecteerd in ICMP-pakket 192.168.1.114 213.1.213.130 ICMP 30-6-2013 20:28:22 Gebruikmaking van verborgen kanaal gedetecteerd in ICMP-pakket 192.168.1.114 212.66.146.2 ICMP 29-6-2013 19:01:35 Gebruikmaking van verborgen kanaal gedetecteerd in ICMP-pakket 192.168.1.114 90.83.94.114 ICMP 29-6-2013 19:01:25 Gebruikmaking van verborgen kanaal gedetecteerd in ICMP-pakket 192.168.1.114 83.150.122.97 ICMP 29-6-2013 19:01:15 Gebruikmaking van verborgen kanaal gedetecteerd in ICMP-pakket 192.168.1.114 83.145.93.99 ICMP 29-6-2013 17:54:00 Gebruikmaking van verborgen kanaal gedetecteerd in ICMP-pakket 192.168.1.114 173.227.255.65 ICMP 29-6-2013 17:53:50 Gebruikmaking van verborgen kanaal gedetecteerd in ICMP-pakket 192.168.1.114 107.1.94.142 ICMP 29-6-2013 17:53:40 Gebruikmaking van verborgen kanaal gedetecteerd in ICMP-pakket 192.168.1.114 101.78.148.14 ICMP
Same here...problem still not fixed : I get exactly the same ip adresses as mentioned above.

30-6-2013 20:37:36 Gebruikmaking van verborgen kanaal gedetecteerd in ICMP-pakket 192.168.1.114 90.83.94.114 ICMP
30-6-2013 20:37:26 Gebruikmaking van verborgen kanaal gedetecteerd in ICMP-pakket 192.168.1.114 83.150.122.97 ICMP
30-6-2013 20:37:16 Gebruikmaking van verborgen kanaal gedetecteerd in ICMP-pakket 192.168.1.114 83.145.93.99 ICMP
30-6-2013 20:28:42 Gebruikmaking van verborgen kanaal gedetecteerd in ICMP-pakket 192.168.1.114 213.179.145.146 ICMP
30-6-2013 20:28:32 Gebruikmaking van verborgen kanaal gedetecteerd in ICMP-pakket 192.168.1.114 213.1.213.130 ICMP
30-6-2013 20:28:22 Gebruikmaking van verborgen kanaal gedetecteerd in ICMP-pakket 192.168.1.114 212.66.146.2 ICMP
29-6-2013 19:01:35 Gebruikmaking van verborgen kanaal gedetecteerd in ICMP-pakket 192.168.1.114 90.83.94.114 ICMP
29-6-2013 19:01:25 Gebruikmaking van verborgen kanaal gedetecteerd in ICMP-pakket 192.168.1.114 83.150.122.97 ICMP
29-6-2013 19:01:15 Gebruikmaking van verborgen kanaal gedetecteerd in ICMP-pakket 192.168.1.114 83.145.93.99 ICMP
29-6-2013 17:54:00 Gebruikmaking van verborgen kanaal gedetecteerd in ICMP-pakket 192.168.1.114 173.227.255.65 ICMP
29-6-2013 17:53:50 Gebruikmaking van verborgen kanaal gedetecteerd in ICMP-pakket 192.168.1.114 107.1.94.142 ICMP
29-6-2013 17:53:40 Gebruikmaking van verborgen kanaal gedetecteerd in ICMP-pakket 192.168.1.114 101.78.148.14 ICMP

#6
Posted 06/30/2013 06:47 PM   
I recommend following this steps: http://kb.eset.com/esetkb/index?page=content&id=SOLN2274&actp=search&viewlocale=en_US&searchid=1372667789843 Exclude the IP's of NVIDIA or disable the popups. I recommend using Solution #1 (Disable Popup), ESET will still scan it, but you don't get a notification. I hope this will help :)
I recommend following this steps:

http://kb.eset.com/esetkb/index?page=content&id=SOLN2274&actp=search&viewlocale=en_US&searchid=1372667789843

Exclude the IP's of NVIDIA or disable the popups.

I recommend using Solution #1 (Disable Popup), ESET will still scan it, but you don't get a notification.

I hope this will help :)

#7
Posted 07/01/2013 08:38 AM   
Scroll To Top