cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
revealdion
Level 7
Report Inappropriate Content
Message 1 of 40

netguard blocks risky connectio´n

Hi

A few minutes ago netguard blocked a risky connection attempt Hostproces for windows services  ip 194.7.155.82 .

What coud this be?

I have total protection 2011 on a windows 7 64bit pc

39 Replies
wquinter
Level 7
Report Inappropriate Content
Message 2 of 40

Re: netguard blocks risky connectio´n

I got the same message, I was able to trace the IP using "www.ip-adress.com/ip_tracer". I got no clue about that so I leave it blocked.

ip.PNG

Re: netguard blocks risky connectio´n

I concur. Same message, Googled it, found same info, leaving it blocked. Thanks for moral support!

Re: netguard blocks risky connectio´n

I wonder what initiated the call to ip 194.7.155.82 in the first place - McAfee warning does not seem to give a clue. What program?? At the fime, I just had opened Microsoft Excel, Lotus 123, Windows Explorer (to see files). I also run McAfee total protection 2011 on a windows 7 64bit pc.

jaydee711
Level 7
Report Inappropriate Content
Message 5 of 40

Re: netguard blocks risky connectio´n

I experienced the same thing. I run different security products on different machines, and the one running McAfee is the only one that reacted to this IP. I haven't checked detailed logs on the other machines, but all are configered to not let programs make connections to the internet on their own, so I would have been notified.

Cybertrust and Ubizen both belong to Verizon. Verizon is used extensively in Windows to verify security certificates etc for the internet browser, java, flash etc. Did any of you get an alert that java could *not* check for revocation info for a certificate around this time?

Message was edited by: jaydee711 s/could/could not on 3/17/12 6:49:51 PM CDT

Re: netguard blocks risky connectio´n

I did not get any alert that java could *not* check for revocation info for a certificate. All I saw was the McAfee message window.

I do use Verizon FiOS as my provider, but I wonder why McAfee shows ip 194.7.155.82 as Red if it is an IP listed with NV Verizon in Belgium and Cybertrust - Ubizen.

Re: netguard blocks risky connectio´n

Keep this IP banned/flagged/removed from and of your networks. I am a McAfee user like you, however, I have a computer science background. I am currently tracking this IP further because I too got this same message on 3/17/2012. After it popped up, I blocked it, or so I thought. About 5 mintues later one of my computers locked up with the exception of my mouse and then my computer fan kicked in as the resources were both in the 100% for about 3 minutes until I realized someone was using my resources on a bot net. I did a hard restart to safemode, enabled my HIDS to detect the IP and any other intrusion from that IP, then restarted normally and have not had problems since (about 30 minutes now) but I am still tracking it so hopefully I will have a follow up shortly!

IP address information:

WHOIS Source: RIPE NCC

IP Address:   194.7.155.82

Country:      Belgium

Network Name: UU-194-7-155-80

Owner Name:   Cybertrust - Ubizen

From IP:      194.7.155.80

To IP:        194.7.155.95

Allocated:    Yes

Contact Name: Stephen Biets

Address:      Verizon/Cybertrust, Philipssite 5, 3001 Leuven, be

Email:        stephen.biets@be.verizonbusiness.com

Abuse Email:  abuse@be.uu.net

Phone:        +32 16 28 7397

Fax:         

WHOIS Record:

% This is the RIPE Database query service.

% The objects are in RPSL format.

%

% The RIPE Database is subject to Terms and Conditions.

% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Information related to '194.7.155.80 - 194.7.155.95'

inetnum:        194.7.155.80 - 194.7.155.95

netname:        UU-194-7-155-80

descr:          Cybertrust - Ubizen

descr:          Leuven, be

country:        BE

admin-c:        SB12089-RIPE

tech-c:         SB12089-RIPE

status:         ASSIGNED PA

mnt-by:         AS2822-MNT

notify:         ip@se.verizonbusiness.com

changed:        ip@se.verizonbusiness.com 20100531 # BN1055-RIPE

source:         RIPE

irt:            IRT-MCI-BE

address:        ISG/IP Network Security

address:        MCI

address:        Kroonburgh D2

address:        H.J.E. Wenckebachweg 123

address:        1096 AM Amsterdam

address:        NL

phone:          +31 20 4952959

fax-no:         +31 20 7178893

e-mail:         abuse@be.uu.net

abuse-mailbox:  abuse@be.uu.net

org:            ORG-IUB1-RIPE

admin-c:        WERT1-RIPE

tech-c:         WERT1-RIPE

auth:           MD5-PW $1$T6sZUHUL$U6wJAZrPHaxvZxA2PwxZE/

auth:           PGPKEY-5960220D

auth:           PGPKEY-5E478DDC

auth:           PGPKEY-92479A5D

auth:           PGPKEY-B4826395

irt-nfy:        ip-net-sec@de.mci.com

irt-nfy:        registrar@eu.uu.net

notify:         ip-net-sec@de.mci.com

notify:         registrar@eu.uu.net

mnt-by:         MCI-EMEA-M-MNT

changed:        registrar@eu.uu.net 20050517 # @handle@

source:         RIPE

person:         Stephen Biets

address:        Verizon/Cybertrust

address:        Philipssite 5

address:        3001 Leuven

address:        be

phone:          +32 16 28 7397

e-mail:         stephen.biets@be.verizonbusiness.com

nic-hdl:        SB12089-RIPE

mnt-by:         AS2822-MNT

notify:         ip@se.verizonbusiness.com

changed:        ip@se.verizonbusiness.com 20100528 # BN1055-RIPE

source:         RIPE

% Information related to '194.7.0.0/16AS2822'

route:        194.7.0.0/16

descr:        INNET-BLOCK

origin:       AS2822

remarks:      CIDR all the way down

remarks:      **************************************

remarks:      * For spamming or other abuse issues *

remarks:      * Please send your requests to       *

remarks:      * abuse@be.uu.net                    *

remarks:      **************************************

notify:       hostmaster@INbe.net

mnt-by:       AS2822-MNT

mnt-by:       WCOM-EMEA-RICE-MNT

changed:      Patrick.Sichien@be.uu.net 20010507

changed:      Maarten.Buekers@be.uu.net 20011025

changed:      hendrik.volker@deu.mci.com 20050406

source:       RIPE

% Information related to '194.7.0.0/16AS702'

route:          194.7.0.0/16

descr:          BE PA route

origin:         AS702

holes:          194.7.112.0/22

holes:          194.7.124.240/28

holes:          194.7.243.224/28

member-of:      AS702:RS-BE,

                AS702:RS-BE-PA

inject:         upon static

aggr-mtd:       outbound

remarks:        **********ABUSE ISSUES**********

remarks:        All abuse must be reported to

remarks:        abuse@be.uu.net for this network.

remarks:        ********************************

mnt-routes:     FORTIS-MNT {194.7.112.0/22^+, 194.7.124.240/28^+, 194.7.243.224/28^+}

mnt-by:         WCOM-EMEA-RICE-MNT

changed:        rice@lists.mci.com 20110314

source:         RIPE

Message was edited by: edwardjwlaunt on 3/18/12 10:01:46 AM CDT
Hayton
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 8 of 40

Re: netguard blocks risky connectio´n

Back to basics.

@revealdion and @wquinter, you were the first two to post on the 17th, at (it says on my screen) 12:39 and 14:49. What time(s) did you notice Netguard block access to that IP? It could be significant.

Trusted Source is rating that IP as High Risk now, but the record shows that it has been Medium Risk since at least as far back as February 15th.

If you try to access the IP address from your browser SiteAdvisor will do its best to stop you with a blocking page. I went on through to the site and found a directory listing of CRL files. These are Certificate Revocation Lists.

Q1: What is a Certificate Revocation List (CRL)


A1: A CRL is a file that contains a list of revoked certificates, their serial numbers, and their revocation dates. A CRL file also contains the name of the issuer of the CRL, the effective date, and the next update date. By default, the shortest validity period of a CRL is one hour.

There are two large groups of CRL files with modification dates of January 11th and March 17th.  Whatever updated the January files may be the cause of TrustedSource marking the IP address as Medium Risk;  the move to High Risk may have resulted from the changes to some of the files on the 17th. That is pure guesswork, but the dates are suggestive.

Without downloading these CRL files and examining their contents there is no way to know what exactly is behind the TrustedSource rating changes.

I think this deserves to be kept under review because the companies involved are key players in the computer security arena. The Cybertrust Wikipedia entry reads, in part :

CyberTrust was a security services company formed in Virginia in November 2004 as a result of a merger of the TruSecure and Betrusted security companies.

Cybertrust acquired a large stake in Ubizen, a European security services firm based in Belgium to become one of the largest information security firms in the world.

And there are traces, on some of the websites I used while investigating this IP address and its hosting provider and ISP, that show a flurry of interest in the IP address especially over the past 48 hours. Some of that might be down to the curiosity of the posters in this thread, but I wonder how many others there are who have wondered if something is amiss.

There is cause for concern here, although I can't see to what use a modified CRL might be put. But then, I'm not a hacker. I'll get in touch with TrustedSource and Ubizen and alert them to the situation. If it's a false positive being flagged by TrustedSource then it can easily be corrected, but I would hope someone would carry out an investigation to make sure that there aren't problems at Ubizen.

Message was edited by: Hayton on 18/03/12 06:44:07 GMT

Re: netguard blocks risky connectio´n

Peter I got it as well left it blocked Time

Australia 17 March 6:22:58 am Not daylight savings time ie (GMT+10hrs)

Message was edited by: Peacekeeper on 18/03/12 4:47:25 PM
Hayton
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 10 of 40

Re: netguard blocks risky connectio´n

I've contacted TrustedSource and Ubizen. I know it's a Sunday, so don't expect anything to happen until late Monday. It'll probably just quietly go from Red to Green without any explanation ....

How Many Badges Can You Collect?
Ready for a little competition? Members like you are earning badges and unlocking perks for their helpful answers. Are you? Click here to find out.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community