Is there a reason PCNS should be communicating with a data center in India?

LarryK · ‎2021-12-22

I was reviewing the logs in a client's SonicWall firewall this morning and found lots of entries that read:

Responder from country blocked: Responder IP:35.244.31.252 Country Name:India

I ran a PowerShell command to identify what TCPIP connections were open on 443 and found the offending IP address and Process ID.

When I queried the process, it returned Java. I then started up Process Explorer and found the Java instance running under PCNS.

So I'm now wondering why would PCNS be trying to communicate with India.

Note: I have modified the Log4j module by following the SE instructions recently issued to use 7zip to delete the offending component.

I'm not sure if this is a coincidence, or simply something I never really noticed before.

Anyone have any suggestions?

LarryK · ‎2022-01-04

Here is the response from our engineers:

The domain of the IP address (35.244.31.252) is where the server for CEIP (Customer Experience Improvement Program) is running. If the customer has enabled CEIP or has enabled it previously (and no longer wants to participate in this), it explains why the PCNS agent is trying to establish communication to that IP address.

If the customer has already disabled CEIP and is still communicating to the server you can follow the workaround below to stop the DNS queries to the external IP address mentioned above:

Stop PCNS service. The instruction on how to stop the PCNS service varies from each operating system(see https://www.apc.com/us/en/faqs/FA290624/)
After stopping PCNS service, go to the C:\Program Files\APC\PowerChute\group1\session for Windows or /opt/APC/PowerChute/group1/session directory Linux OS.
Delete all the files inside the session folder.
Once this is done start the PCNS service

Those are the steps to stop this from occurring.

See Answer In Context

Shaun · ‎2021-12-22

Hi,

This IP address belongs to Google Cloud, so its location is going to be largely fictional (wherever Google decides is best to route you at the time).

I don't remember exactly what host CEIP connects to, but this would be my first guess - you can disable the CEIP in pcns, it's just called PowerChute CEIP in the side menu. Restart, then see if the connections persist.

(see also https://www.se.com/ie/en/download/document/SPD_CCON-PCCEIP_EN/ )

LarryK · ‎2021-12-22

I appreciate that, but I have disabled CEIP from the outset.

While I realize Google's cloud is worldwide, I'd still like to know why PCNS is attempting to communicate with the outside world at all...

LarryK · ‎2021-12-23

And it looks like I'll have to wait until Monday to find some answers, APC's offices are closed today (Thursday) for the holiday weekend.

BillP · ‎2022-01-04

Hi,

The CEIP utilizes Countly that is hosted on Amazon’s AWS service or Google Cloud Services.

If you would like more information on Countly see https://support.count.ly/hc/en-us/articles/900005345323-Countly-Basics

LarryK · ‎2022-01-04

Bill, I appreciate the information.

But as I stated earlier, I opted out of CEIP. I would - in a simplistic view - believe that by unchecking the box, no activity would take place. Instead, the product is CONSTANTLY trying to reach out:

This kind of activity simply should not be taking place.

Following up with Support again later today to get to the root cause of this aberrant behavior.

LarryK · ‎2022-01-04

Here is the response from our engineers:

The domain of the IP address (35.244.31.252) is where the server for CEIP (Customer Experience Improvement Program) is running. If the customer has enabled CEIP or has enabled it previously (and no longer wants to participate in this), it explains why the PCNS agent is trying to establish communication to that IP address.

If the customer has already disabled CEIP and is still communicating to the server you can follow the workaround below to stop the DNS queries to the external IP address mentioned above:

Stop PCNS service. The instruction on how to stop the PCNS service varies from each operating system(see https://www.apc.com/us/en/faqs/FA290624/)
After stopping PCNS service, go to the C:\Program Files\APC\PowerChute\group1\session for Windows or /opt/APC/PowerChute/group1/session directory Linux OS.
Delete all the files inside the session folder.
Once this is done start the PCNS service

Those are the steps to stop this from occurring.

LarryK · ‎2022-11-22

Glad I found this topic in a search this morning (Nov 22, 2022).

Same problem recurring. Still don't use CEIP. Don't understand why this "feature" should have launched again.

Instructions provided cured the situation; however, the causative problem still exists.