I used a firewall and detect your app connected to some server? Why is connected establashed?
What is data transfered?
I used a firewall and detect your app connected to some server? Why is connected establashed?
What is data transfered?
You don’t need a firewall for this. A mere netstat -bf on Windows will also showcase currently established connections:
Actieve verbindingen
Proto Lokaal adres Extern adres Status
[Visual Paradigm.exe]
TCP 10.0.1.25:54457 m2052.contabo.host:https ESTABLISHED
[Visual Paradigm.exe]
TCP 10.0.1.25:54592 13.107.21.200:https TIME_WAIT
TCP 10.0.1.25:54594 13.107.21.200:https TIME_WAIT
TCP 10.0.1.25:54598 a104-125-38-50.deploy.static.akamaitechnologies.com:http TIME_WAIT
TCP 10.0.1.25:54599 a-0001.a-msedge.net:https TIME_WAIT
TCP 10.0.1.25:54600 a-0001.a-msedge.net:https TIME_WAIT
TCP 127.0.0.1:1101 localhost.localdomain:54467 ESTABLISHED
[Visual Paradigm.exe]
TCP 127.0.0.1:1101 localhost.localdomain:54468 ESTABLISHED
[Visual Paradigm.exe]
TCP 127.0.0.1:1101 localhost.localdomain:54469 ESTABLISHED
[Visual Paradigm.exe]
TCP 127.0.0.1:54467 localhost.localdomain:1101 ESTABLISHED
[jxbrowser-chromium32.exe]
TCP 127.0.0.1:54468 localhost.localdomain:1101 ESTABLISHED
[jxbrowser-chromium32.exe]
TCP 127.0.0.1:54469 localhost.localdomain:1101 ESTABLISHED
[jxbrowser-chromium32.exe]
So, what we’re seeing here… “m2052.contabo.host” is basically VPository.
13.107.21.200 is also known as ns1.msft.net and seems a regular DNS server. However, do note the TIME_WAIT, it doesn’t make an actual connection.
a104-125-38-50.deploy.static.akamaitechnologies.com puzzled me at first, but a Google search pointed me to the Akamai website. They’re a cloud hosting provider, and Visual Paradigm is more heavily relying on net based functionality these days, so there’s also not much of a surprise here.
Then we’re down to a-0001.a-msedge.net. It has 2 IP addresses:
omicron:/home/peter $ dig a-0001.a-msedge.net
; <<>> DiG 9.11.2 <<>> a-0001.a-msedge.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61978
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;a-0001.a-msedge.net. IN A
;; ANSWER SECTION:
a-0001.a-msedge.net. 28 IN A 13.107.21.200
a-0001.a-msedge.net. 28 IN A 204.79.197.200
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Nov 28 07:43:30 CET 2017
;; MSG SIZE rcvd: 80
The IP addresses don’t really tell me much but checking for a-msedge.net in the whois database directs me straight to Microsoft.
In specific the markmonitor website. Which also looks very legitimate to me, it’s basically an online service used to protect brands and services from abuse (hackers).
The rest are merely local connections (as you can see).
So summing up: I can’t reproduce your findings.
Except…
When I’m using the “Community Circle” option more data gets send across, but that’s logical behaviour because that option establishes a website connection from within Visual Paradigm. Is it possible that you used something similar?
From what I can tell Visual Paradigm uses the Chromium engine which is used to establish (HTTP) connections, for example with Community Circle and VPository, but those are not rogue connections.
Also noteworthy is that the Visual Paradigm website utilizes Google Analytics.
So I think that’s what you’re seeing here. Nothing malicious is going on, the program is merely pulling in web data from the website which in its turn also contacts Google analytics.