Why application connected to Google annalysis?


#1

I used a firewall and detect your app connected to some server? Why is connected establashed?

What is data transfered?GA


#2

You don’t need a firewall for this. A mere netstat -bf on Windows will also showcase currently established connections:

Actieve verbindingen

  Proto  Lokaal adres           Extern adres           Status
 [Visual Paradigm.exe]
  TCP    10.0.1.25:54457        m2052.contabo.host:https  ESTABLISHED
 [Visual Paradigm.exe]
  TCP    10.0.1.25:54592        13.107.21.200:https    TIME_WAIT
  TCP    10.0.1.25:54594        13.107.21.200:https    TIME_WAIT
  TCP    10.0.1.25:54598        a104-125-38-50.deploy.static.akamaitechnologies.com:http  TIME_WAIT
  TCP    10.0.1.25:54599        a-0001.a-msedge.net:https  TIME_WAIT
  TCP    10.0.1.25:54600        a-0001.a-msedge.net:https  TIME_WAIT
  TCP    127.0.0.1:1101         localhost.localdomain:54467  ESTABLISHED
 [Visual Paradigm.exe]
  TCP    127.0.0.1:1101         localhost.localdomain:54468  ESTABLISHED
 [Visual Paradigm.exe]
  TCP    127.0.0.1:1101         localhost.localdomain:54469  ESTABLISHED
 [Visual Paradigm.exe]
  TCP    127.0.0.1:54467        localhost.localdomain:1101  ESTABLISHED
 [jxbrowser-chromium32.exe]
  TCP    127.0.0.1:54468        localhost.localdomain:1101  ESTABLISHED
 [jxbrowser-chromium32.exe]
  TCP    127.0.0.1:54469        localhost.localdomain:1101  ESTABLISHED
 [jxbrowser-chromium32.exe]

So, what we’re seeing here… “m2052.contabo.host” is basically VPository.

13.107.21.200 is also known as ns1.msft.net and seems a regular DNS server. However, do note the TIME_WAIT, it doesn’t make an actual connection.

a104-125-38-50.deploy.static.akamaitechnologies.com puzzled me at first, but a Google search pointed me to the Akamai website. They’re a cloud hosting provider, and Visual Paradigm is more heavily relying on net based functionality these days, so there’s also not much of a surprise here.

Then we’re down to a-0001.a-msedge.net. It has 2 IP addresses:

omicron:/home/peter $ dig a-0001.a-msedge.net

; <<>> DiG 9.11.2 <<>> a-0001.a-msedge.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61978
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;a-0001.a-msedge.net.           IN      A

;; ANSWER SECTION:
a-0001.a-msedge.net.    28      IN      A       13.107.21.200
a-0001.a-msedge.net.    28      IN      A       204.79.197.200

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Nov 28 07:43:30 CET 2017
;; MSG SIZE  rcvd: 80

The IP addresses don’t really tell me much but checking for a-msedge.net in the whois database directs me straight to Microsoft.

In specific the markmonitor website. Which also looks very legitimate to me, it’s basically an online service used to protect brands and services from abuse (hackers).

The rest are merely local connections (as you can see).

So summing up: I can’t reproduce your findings.

Except…

When I’m using the “Community Circle” option more data gets send across, but that’s logical behaviour because that option establishes a website connection from within Visual Paradigm. Is it possible that you used something similar?

From what I can tell Visual Paradigm uses the Chromium engine which is used to establish (HTTP) connections, for example with Community Circle and VPository, but those are not rogue connections.

Also noteworthy is that the Visual Paradigm website utilizes Google Analytics.

So I think that’s what you’re seeing here. Nothing malicious is going on, the program is merely pulling in web data from the website which in its turn also contacts Google analytics.


#3

I remember when I first run Visual Paradigm, there have a checkbox for agree on join the experience improvement program.

And I just found there have an option “Experience Improvement”

I haven’t check whether is the cause. You may have to try.