Kaspersky
Question

Where can I see what task/process/daemon initiated outbound network traffic that is routed through 'kav'? , KIS 19 | macOS | 'kav' process

  • 12 August 2019
  • 5 replies
  • 112 views

  • Once posted
  • 2 replies
Kaspersky Internet Security 19 (19.0.0.294b.c.d)
macOS Mojave (10.14.6 )
Kaspersky Security (chrome extension) 20.0.0.3

Where can I see what task/process/daemon initiated outbound network traffic that is routed through 'kav'?


Background

As per design of KIS, most of my network traffic is routed through the background kav process. However, this creates a problem in that I cannot see what task/process/daemon on my computer initiated the outbound traffic.

Problem

For the vast majority of traffic, this isn't an issue (most traffic goes to named domains and is obviously due to known programs --internet browsing, streaming, messaging, etc.) However, there is a significant amount of traffic that I have which is routed to IP addresses (not DNS resolved domain names) and I need to determine where it's coming from so that I can set up appropriate firewall rules.

What I've tried

I've enabled both log non-critical events and trace mode to see if originating processes were logged. I found no logs of originating processes at the following locations:

  • /Users//Library/Logs/Kaspersky Lab/ (trace log)
  • /Library/Logs/Kaspersky Lab/ (trace log)
  • KIS application --> Protection --> Reports

More information

Is there a list of safe domains/IP's that KIS uses for service? I see outbound traffic at this moment for example to 77.74.178.18 and 77.74.178.23 which are both Kaspersky Lab servers -- I can't tell if that's chrome web traffic related to this website or if that's KIS in the background doing something.

Examples of outbound IP's I've logged
  • (52.214.10.178 / 35.153.41.70 / 143.204.225.159) --> Amazon related
  • (173.194.76.189 / 35.186.224.47 /216.58.201.182) --> Google related
  • (17.253.109.203 / 17.167.194.230 / 17.142.171.9) --> Apple related
I don't know if these are CDN's / legitimate web traffic, advertisement/tracking pings, or malicious outbound traffic from rogue software. Obviously, I've only listed public examples (in order to protect my own privacy), but I'm more interested in the IP's that aren't Amazon/Google/Apple.

Thank you,

5 replies

Userlevel 7
Badge +4
Hello @jlc,
Welcome!
There's a published list of Kaspersky servers, this can easily be translated (by anyone) to ip addresses.
Any unrecognised ips can be investigated with standard Ip checkers.
Are you matching ips/pids & processes?
If you have licensed Kaspersky software and would like traffic analysed, it's necessary to contact the Lab/Technical Support, https://support.kaspersky.com/b2c, choose, location & contact choice, onlinechat if it's available in your region, phone, or submit a ticket through your online MyKaspersky account https://my.kaspersky.com.
Also, via your MyKaspersky account, if onlinechat is available, a small "need help, chat with us, chat now" popup will display.
Thanks

How can I determine what PID generated outbound traffic that is routed through kav?


  • Can I do this through logged information?
  • Why is it necessary to contact technical support in order to review my own private web traffic?

Answers to your questions


Are you matching ips/pids & processes?

Yes; I'm trying to match outbound network traffic to specific PID's on this computer. However, because all of the traffic is routed through kav process -- all of the outbound traffic appears to come from kav.

Any unrecognised ips can be investigated with standard Ip checkers.

I'm familiar with standard networking tools and can reverse DNS and ASN ip addresses. This isn't my concern -- my concern is identifying what PID generated the traffic from this computer.
Userlevel 7
Badge +4
@jlc,
Mac "Activity Monitor", Network"

I know how to check the PID, but your example does not answer my question.

Which PID originally generated this traffic?


The traffic is being routed through kav, but Kaspersky is obviously not the originator of this traffic. I want to know what PID/program/process originally generated his traffic.

A clear example


For example, here is a current list of connections being routed through kav.

  • Is my connection to google from Chrome? from Safari? from Backup and Sync (drive)?
  • What about my connection to github.com -- is that Canary? Atom?
  • Is my connection to spotify.com from from Brave? from the Spotify app?
These are mundane and clear examples. I'm interested in my own private network traffic, but this demonstrates the problem I'm having. I need to be able to differentiate between the originators of traffic.

Userlevel 7
Badge +4
@jlc,
I understand your objective.
Kaspersky Technical Support are the group to assist you. The Technical team will try to answer all answer all your questions.
  • As your second image does not show pid information, I'm not sure what command you've used.
If you have licensed Kaspersky software, the Lab/Technical Support contact options are available @ https://support.kaspersky.com/b2c, choose, location & contact choice, onlinechat if it's available in your region, phone, or submit a ticket through your online MyKaspersky account https://my.kaspersky.com.
Also, via your MyKaspersky account, if onlinechat is available, a small "need help, chat with us, chat now" popup will display.
---
Alternatively, use software available thru GeekTools.
Thanks

Reply / Ответить