Open rugabunda opened 4 years ago
i used nvslimmer and clean installed only the display driver, nvidia telemetry was still attempting to connect; here is the strange pattern I found:
Without fail I am seeing the following reoccuring connections. NvidiaDisplayContainer.exe connects in intervals to to activation.gfe.nvidia.com, simultaneously ESET internet security connects to eset key activation servers. edf.eset.com points to a Microsoft Azure cloud server with a bad TLS cert, just visit: edf.eset.com or edfpcs.trafficmanager.net. The strange thing, is why does eset and nvidia always function in concert? hundreds of these every day:
Noted below: after deleting nvtelemetry.dll the following patterns changed dramatically.
02:40:13 dnsmasq[1335]: query[A] edf.eset.com from 192.168.50.241
02:40:13 dnsmasq[1335]: blocked by blacklist edf.eset.com is 192.168.50.2
02:40:13 dnsmasq[1335]: query[A] pki.eset.com from 192.168.50.241
02:40:13 dnsmasq[1335]: forwarded pki.eset.com to 127.0.0.1
02:40:13 dnsmasq[1335]: reply pki.eset.com is <CNAME>
02:40:13 dnsmasq[1335]: reply pki.wip.eset.com is 91.228.167.181
02:40:13 dnsmasq[1335]: query[A] edf.eset.com from 192.168.50.241
02:40:13 dnsmasq[1335]: blocked by blacklist edf.eset.com is 192.168.50.2
02:40:13 dnsmasq[1335]: query[A] pki.eset.com from 192.168.50.241
02:40:13 dnsmasq[1335]: cached pki.eset.com is <CNAME>
02:40:13 dnsmasq[1335]: cached pki.wip.eset.com is 91.228.167.181
02:40:14 dnsmasq[1335]: query[A] edf.eset.com from 192.168.50.241
02:40:14 dnsmasq[1335]: blocked by blacklist edf.eset.com is 192.168.50.2
02:40:14 dnsmasq[1335]: query[A] pki.eset.com from 192.168.50.241
02:40:14 dnsmasq[1335]: cached pki.eset.com is <CNAME>
02:40:14 dnsmasq[1335]: cached pki.wip.eset.com is 91.228.167.181
02:40:15 dnsmasq[1335]: query[A] activation.gfe.nvidia.com from 192.168.50.241
02:40:15 dnsmasq[1335]: blocked by blacklist activation.gfe.nvidia.com is 192.168.50.2
Aug 5 01:28:05 dnsmasq[681]: cached clientapi.skype.akadns.net is 13.79.186.4
Aug 5 01:28:13 dnsmasq[681]: query[A] pico.eset.com from 192.168.50.241
Aug 5 01:28:13 dnsmasq[681]: cached pico.eset.com is <CNAME>
Aug 5 01:28:13 dnsmasq[681]: cached pico.wip.eset.com is 91.228.167.21
Aug 5 01:28:13 dnsmasq[681]: query[A] pico.eset.com from 192.168.50.241
Aug 5 01:28:13 dnsmasq[681]: cached pico.eset.com is <CNAME>
Aug 5 01:28:13 dnsmasq[681]: cached pico.wip.eset.com is 91.228.167.21
Aug 5 01:28:14 dnsmasq[681]: query[A] pico.eset.com from 192.168.50.241
Aug 5 01:28:14 dnsmasq[681]: cached pico.eset.com is <CNAME>
Aug 5 01:28:14 dnsmasq[681]: cached pico.wip.eset.com is 91.228.167.21
Aug 5 01:28:14 dnsmasq[681]: query[A] pico.eset.com from 192.168.50.241
Aug 5 01:28:14 dnsmasq[681]: cached pico.eset.com is <CNAME>
Aug 5 01:28:14 dnsmasq[681]: cached pico.wip.eset.com is 91.228.167.21
Aug 5 01:28:14 dnsmasq[681]: query[A] edf.eset.com from 192.168.50.241
Aug 5 01:28:14 dnsmasq[681]: forwarded edf.eset.com to 127.0.0.1
Aug 5 01:28:14 dnsmasq[681]: reply edf.eset.com is <CNAME>
Aug 5 01:28:14 dnsmasq[681]: reply edfpcs.trafficmanager.net is <CNAME>
Aug 5 01:28:14 dnsmasq[681]: reply bal-edf-pcs-app-vmss-01.westus.cloudapp.azure.com is 13.64.117.133
Aug 5 01:28:14 dnsmasq[681]: query[A] pico.eset.com from 192.168.50.241
Aug 5 01:28:14 dnsmasq[681]: cached pico.eset.com is <CNAME>
Aug 5 01:28:14 dnsmasq[681]: cached pico.wip.eset.com is 91.228.167.21
Aug 5 01:28:15 dnsmasq[681]: query[A] edf.eset.com from 192.168.50.241
Aug 5 01:28:15 dnsmasq[681]: cached edf.eset.com is <CNAME>
Aug 5 01:28:15 dnsmasq[681]: cached edfpcs.trafficmanager.net is <CNAME>
Aug 5 01:28:15 dnsmasq[681]: cached bal-edf-pcs-app-vmss-01.westus.cloudapp.azure.com is 13.64.117.133
Aug 5 01:28:15 dnsmasq[681]: query[A] edf.eset.com from 192.168.50.241
Aug 5 01:28:15 dnsmasq[681]: cached edf.eset.com is <CNAME>
Aug 5 01:28:15 dnsmasq[681]: cached edfpcs.trafficmanager.net is <CNAME>
Aug 5 01:28:15 dnsmasq[681]: cached bal-edf-pcs-app-vmss-01.westus.cloudapp.azure.com is 13.64.117.133
Aug 5 01:28:17 dnsmasq[681]: query[A] activation.gfe.nvidia.com from 192.168.50.241
Aug 5 01:28:17 dnsmasq[681]: forwarded activation.gfe.nvidia.com to 127.0.0.1
Aug 5 01:28:17 dnsmasq[681]: reply activation.gfe.nvidia.com is <CNAME>
Aug 5 01:28:17 dnsmasq[681]: reply activation-dc1.gfe.nvidia.com is 8.36.80.230
Aug 5 01:28:17 dnsmasq[681]: reply activation-dc1.gfe.nvidia.com is 8.36.113.126
Aug 5 01:28:17 dnsmasq[681]: reply activation-dc1.gfe.nvidia.com is 8.36.80.231
Aug 5 03:28:13 dnsmasq[681]: query[A] edf.eset.com from 192.168.50.241
Aug 5 03:28:13 dnsmasq[681]: forwarded edf.eset.com to 127.0.0.1
Aug 5 03:28:14 dnsmasq[681]: query[A] pico.eset.com from 192.168.50.241
Aug 5 03:28:14 dnsmasq[681]: cached pico.eset.com is <CNAME>
Aug 5 03:28:14 dnsmasq[681]: cached pico.wip.eset.com is 91.228.167.26
Aug 5 03:28:14 dnsmasq[681]: query[A] pico.eset.com from 192.168.50.241
Aug 5 03:28:14 dnsmasq[681]: cached pico.eset.com is <CNAME>
Aug 5 03:28:14 dnsmasq[681]: cached pico.wip.eset.com is 91.228.167.26
Aug 5 03:28:14 dnsmasq[681]: reply edf.eset.com is <CNAME>
Aug 5 03:28:14 dnsmasq[681]: reply edfpcs.trafficmanager.net is <CNAME>
Aug 5 03:28:14 dnsmasq[681]: reply bal-edf-pcs-app-vmss-01.westus.cloudapp.azure.com is 13.64.117.133
Aug 5 03:28:14 dnsmasq[681]: query[A] pico.eset.com from 192.168.50.241
Aug 5 03:28:14 dnsmasq[681]: cached pico.eset.com is <CNAME>
Aug 5 03:28:14 dnsmasq[681]: cached pico.wip.eset.com is 91.228.167.26
Aug 5 03:28:14 dnsmasq[681]: query[A] pico.eset.com from 192.168.50.241
Aug 5 03:28:14 dnsmasq[681]: cached pico.eset.com is <CNAME>
Aug 5 03:28:14 dnsmasq[681]: cached pico.wip.eset.com is 91.228.167.26
Aug 5 03:28:14 dnsmasq[681]: query[A] pico.eset.com from 192.168.50.241
Aug 5 03:28:14 dnsmasq[681]: cached pico.eset.com is <CNAME>
Aug 5 03:28:14 dnsmasq[681]: cached pico.wip.eset.com is 91.228.167.26
Aug 5 03:28:14 dnsmasq[681]: query[A] edf.eset.com from 192.168.50.241
Aug 5 03:28:14 dnsmasq[681]: cached edf.eset.com is <CNAME>
Aug 5 03:28:14 dnsmasq[681]: cached edfpcs.trafficmanager.net is <CNAME>
Aug 5 03:28:14 dnsmasq[681]: cached bal-edf-pcs-app-vmss-01.westus.cloudapp.azure.com is 13.64.117.133
Aug 5 03:28:15 dnsmasq[681]: query[A] edf.eset.com from 192.168.50.241
Aug 5 03:28:15 dnsmasq[681]: cached edf.eset.com is <CNAME>
Aug 5 03:28:15 dnsmasq[681]: cached edfpcs.trafficmanager.net is <CNAME>
Aug 5 03:28:15 dnsmasq[681]: cached bal-edf-pcs-app-vmss-01.westus.cloudapp.azure.com is 13.64.117.133
Aug 5 03:28:18 dnsmasq[681]: query[A] activation.gfe.nvidia.com from 192.168.50.241
Aug 5 03:28:18 dnsmasq[681]: forwarded activation.gfe.nvidia.com to 127.0.0.1
Aug 5 03:28:18 dnsmasq[681]: reply activation.gfe.nvidia.com is <CNAME>
Aug 5 03:28:18 dnsmasq[681]: reply activation-dc1.gfe.nvidia.com is 8.36.80.231
Aug 5 03:28:18 dnsmasq[681]: reply activation-dc1.gfe.nvidia.com is 8.36.113.126
Aug 5 03:28:18 dnsmasq[681]: reply activation-dc1.gfe.nvidia.com is 8.36.80.230
Aug 5 05:28:14 dnsmasq[681]: query[A] pico.eset.com from 192.168.50.241
Aug 5 05:28:14 dnsmasq[681]: forwarded pico.eset.com to 127.0.0.1
Aug 5 05:28:14 dnsmasq[681]: reply pico.eset.com is <CNAME>
Aug 5 05:28:14 dnsmasq[681]: reply pico.wip.eset.com is 38.90.226.39
Aug 5 05:28:14 dnsmasq[681]: query[A] pico.eset.com from 192.168.50.241
Aug 5 05:28:14 dnsmasq[681]: forwarded pico.eset.com to 127.0.0.1
Aug 5 05:28:14 dnsmasq[681]: reply pico.eset.com is <CNAME>
Aug 5 05:28:14 dnsmasq[681]: reply pico.wip.eset.com is 38.90.226.39
Aug 5 05:28:14 dnsmasq[681]: query[A] pico.eset.com from 192.168.50.241
Aug 5 05:28:14 dnsmasq[681]: forwarded pico.eset.com to 127.0.0.1
Aug 5 05:28:14 dnsmasq[681]: reply pico.eset.com is <CNAME>
Aug 5 05:28:14 dnsmasq[681]: reply pico.wip.eset.com is 38.90.226.39
Aug 5 05:28:14 dnsmasq[681]: query[A] pico.eset.com from 192.168.50.241
Aug 5 05:28:14 dnsmasq[681]: forwarded pico.eset.com to 127.0.0.1
Aug 5 05:28:14 dnsmasq[681]: reply pico.eset.com is <CNAME>
Aug 5 05:28:14 dnsmasq[681]: reply pico.wip.eset.com is 38.90.226.39
Aug 5 05:28:14 dnsmasq[681]: query[A] pico.eset.com from 192.168.50.241
Aug 5 05:28:14 dnsmasq[681]: forwarded pico.eset.com to 127.0.0.1
Aug 5 05:28:14 dnsmasq[681]: reply pico.eset.com is <CNAME>
Aug 5 05:28:14 dnsmasq[681]: reply pico.wip.eset.com is 38.90.226.39
Aug 5 05:28:14 dnsmasq[681]: query[A] edf.eset.com from 192.168.50.241
Aug 5 05:28:14 dnsmasq[681]: forwarded edf.eset.com to 127.0.0.1
Aug 5 05:28:14 dnsmasq[681]: reply edf.eset.com is <CNAME>
Aug 5 05:28:14 dnsmasq[681]: reply edfpcs.trafficmanager.net is <CNAME>
Aug 5 05:28:14 dnsmasq[681]: reply bal-edf-pcs-app-vmss-01.westus.cloudapp.azure.com is 13.64.117.133
Aug 5 05:28:15 dnsmasq[681]: query[A] edf.eset.com from 192.168.50.241
Aug 5 05:28:15 dnsmasq[681]: cached edf.eset.com is <CNAME>
Aug 5 05:28:15 dnsmasq[681]: cached edfpcs.trafficmanager.net is <CNAME>
Aug 5 05:28:15 dnsmasq[681]: cached bal-edf-pcs-app-vmss-01.westus.cloudapp.azure.com is 13.64.117.133
Aug 5 05:28:15 dnsmasq[681]: query[A] edf.eset.com from 192.168.50.241
Aug 5 05:28:15 dnsmasq[681]: cached edf.eset.com is <CNAME>
Aug 5 05:28:15 dnsmasq[681]: cached edfpcs.trafficmanager.net is <CNAME>
Aug 5 05:28:15 dnsmasq[681]: cached bal-edf-pcs-app-vmss-01.westus.cloudapp.azure.com is 13.64.117.133
Aug 5 05:28:18 dnsmasq[681]: query[A] activation.gfe.nvidia.com from 192.168.50.241
Aug 5 05:28:18 dnsmasq[681]: forwarded activation.gfe.nvidia.com to 127.0.0.1
Aug 5 05:28:18 dnsmasq[681]: reply activation.gfe.nvidia.com is <CNAME>
Aug 5 05:28:18 dnsmasq[681]: reply activation-dc1.gfe.nvidia.com is 8.36.80.230
Aug 5 05:28:18 dnsmasq[681]: reply activation-dc1.gfe.nvidia.com is 8.36.113.126
Aug 5 05:28:18 dnsmasq[681]: reply activation-dc1.gfe.nvidia.com is 8.36.80.231
Aug 6 04:35:14 dnsmasq[1240]: query[A] pico.eset.com from 192.168.50.241
Aug 6 04:35:14 dnsmasq[1240]: forwarded pico.eset.com to 127.0.0.1
Aug 6 04:35:14 dnsmasq[1240]: reply pico.eset.com is <CNAME>
Aug 6 04:35:14 dnsmasq[1240]: reply pico.wip.eset.com is 38.90.226.39
Aug 6 04:35:14 dnsmasq[1240]: query[A] pico.eset.com from 192.168.50.241
Aug 6 04:35:14 dnsmasq[1240]: forwarded pico.eset.com to 127.0.0.1
Aug 6 04:35:14 dnsmasq[1240]: reply pico.eset.com is <CNAME>
Aug 6 04:35:14 dnsmasq[1240]: reply pico.wip.eset.com is 38.90.226.39
Aug 6 04:35:14 dnsmasq[1240]: query[A] pico.eset.com from 192.168.50.241
Aug 6 04:35:14 dnsmasq[1240]: forwarded pico.eset.com to 127.0.0.1
Aug 6 04:35:14 dnsmasq[1240]: reply pico.eset.com is <CNAME>
Aug 6 04:35:14 dnsmasq[1240]: reply pico.wip.eset.com is 38.90.226.39
Aug 6 04:35:15 dnsmasq[1240]: query[A] pico.eset.com from 192.168.50.241
Aug 6 04:35:15 dnsmasq[1240]: forwarded pico.eset.com to 127.0.0.1
Aug 6 04:35:15 dnsmasq[1240]: reply pico.eset.com is <CNAME>
Aug 6 04:35:15 dnsmasq[1240]: reply pico.wip.eset.com is 38.90.226.39
Aug 6 04:35:17 dnsmasq[1240]: query[A] activation.gfe.nvidia.com from 192.168.50.241
Aug 6 04:35:17 dnsmasq[1240]: forwarded activation.gfe.nvidia.com to 127.0.0.1
Aug 6 04:35:17 dnsmasq[1240]: query[A] edf.eset.com from 192.168.50.241
Aug 6 04:35:17 dnsmasq[1240]: forwarded edf.eset.com to 127.0.0.1
Aug 6 04:35:17 dnsmasq[1240]: reply activation.gfe.nvidia.com is <CNAME>
Aug 6 04:35:17 dnsmasq[1240]: reply activation-dc1.gfe.nvidia.com is 8.36.80.230
Aug 6 04:35:17 dnsmasq[1240]: reply activation-dc1.gfe.nvidia.com is 8.36.80.231
Aug 6 04:35:17 dnsmasq[1240]: reply activation-dc1.gfe.nvidia.com is 8.36.113.126
After deleting nvtelemetry.dll eset queries were cut nearly in half. pico*.eset.com was no longer connected to, nor was activation.gfe.nvidia.com.
pico.eset.com is the ESET anti-virus update site and is related to your computers NOD32/Eset anti-virus and has nothing to do with NVIDIA.
bal-edf-pcs-app-vmss-01.westus.cloudapp.azure.com is also related to the ESET activation server.
Why does eset and nvidia always function in concert?
Because it looks like for some reason your system is blocking pico.eset.com so the program can't check for updates, every time it detects you are accessing the internet it tries to check for updates but can't.
02:40:13 dnsmasq[1335]: query[A] edf.eset.com from 192.168.50.241 02:40:13 dnsmasq[1335]: blocked by blacklist edf.eset.com is 192.168.50.2 02:40:13 dnsmasq[1335]: query[A] pki.eset.com from 192.168.50.241 02:40:13 dnsmasq[1335]: forwarded pki.eset.com to 127.0.0.1
Looks like activation.gfe.nvidia.com and activation-dc1.gfe.nvidia.com need to be blocked in the hosts file as part of this script though.
@agret still seems strange to me, all of them were working in concert. Never seen that before. Anyway, seems now nothing one does stops the dns requests or connection attempts by nvidias latest drivers, its baked into their drivers... gotta use a host file & firewall. this should be illegal, we need laws to ensure one can disable all telemetry and be notified about it up front.
Better use this way https://www.nvidia.com/en-us/geforce/forums/game-ready-drivers/13/275717/defeating-nvidias-telemetry/ Deleting telemetry before driver installation.
Better use this way https://www.nvidia.com/en-us/geforce/forums/game-ready-drivers/13/275717/defeating-nvidias-telemetry/ Deleting telemetry before driver installation.
Yes ,that was the better way in 2018 when this tool was first created and did that but they have since changed it so that the telemetry is more integrated into the drivers with every new update.
nvcleaninstall has the latest way but it seems nvidia really wants it left intact
You can't just delete a dll file like that because that will mean sigverif.exe will now fail. It requires all the signed files presence.
You can't just delete a dll file like that because that will mean sigverif.exe will now fail. It requires all the signed files presence.
So how do we defeat the telemetry without deletion of that file?
The only way to disable nvidia telemetry now is to delete the nvtelemetry.dll, for example in the folder: C:\Windows\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_547eeefb57db4499
if you do not delete this... then C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe will connect to *.gfe.nvidia.com