PRIVACY & TRUST: MeshAssistant contacting several US IP-addresses

Ylianst / MeshAgent

MeshAgent used along with MeshCentral to remotely manage computers. Many variations of the background management agent are included as binaries in the MeshCentral project.

https://meshcentral.com

224 stars 86 forks source link

PRIVACY & TRUST: MeshAssistant contacting several US IP-addresses #198

Closed mas1701 closed 3 months ago

mas1701 commented 1 year ago

Why does MeshAssistant contact these IP-Adresses when being scanned by VirusTotal?

131.253.33.203:80 (TCP) 192.229.211.108:80 (TCP) 20.99.184.37:443 (TCP) 20.99.185.48:443 (TCP) 23.216.147.64:443 (TCP) 23.216.147.78:80 (TCP) a83f:8110:0:0:0:0:2002:0:53 (UDP)

Several of them point to Microsoft. Others to AKAMAI or Edgecast Inc.

This is a serious breach of privacy and a violation of the EU GDPR (General Data Protection Regulation). This should not happen at all.

Interestingly, the IP address of the MeshCentral server preconfigured within the client is not contacted. That might be considered positive, but does not explain the rest.

I hope some can clarify.

(This should go to MeshAssistent Issues. You may move it, unless MeshAgent behaves the same way.)

tomsik-radek commented 1 year ago

I can confirm. VirusTotal gave me only

131.253.33.203:80 (TCP) 192.229.211.108:80 (TCP) 20.99.133.109:443 (TCP) 23.216.147.74:80 (TCP)

But I wonder if it is something by VirusTotal or did you try catching these yourself with Wireshark? I would definitely prefer if it didn't try to contact them at all, even worse that this isn't disclosed anywhere

mas1701 commented 1 year ago

I can confirm. VirusTotal gave me only

131.253.33.203:80 (TCP) 192.229.211.108:80 (TCP) 20.99.133.109:443 (TCP) 23.216.147.74:80 (TCP)

But I wonder if it is something by VirusTotal or did you try catching these yourself with Wireshark? I would definitely prefer if it didn't try to contact them at all, even worse that this isn't disclosed anywhere

I did not use Wireshark, it's from VirusTotal. They apparently run the assistant in a sandbox environment.

MBudkin commented 1 year ago

Has anyone figured out what these addresses are? Is it possible to remove unnecessary connections from the agent and server?

si458 commented 3 months ago

if you check the ips using https e.g https://192.229.211.108/ 192.229.211.108 is actually digicert by its ssl cert they are actually used for the timestamp to validate the exe for security by microsoft so the exe is simply contacting them to verify the timestamp and signatures in the meshagent are correct when it runs every time this isnt anything to do with meshcentral you can try disabling the timestamp server signing using agentTimeStampServer: false under settings in your config.json NOTE: YOU MUST RESTART MESHCENTRAL AND CHANCES ARE NEED TO ALSO REDEPLOY YOUR MESHAGENTS TOO!