Jump to content

FNPLicensingService.exe


Recommended Posts

The following IP is being blocked:

169.254.169.254

It appears to be a server used for licensing verification for some applications that use the FlexNet licensing service.  Please reference the following threads:

https://forums.malwarebytes.com/topic/265162-rtp-detection-fnplicensingserviceexe-category-trojan/

https://forums.malwarebytes.com/topic/265161-website-blocked-due-to-trojan-on-fnplicensingservice64exe/

Here's an example log from one of the users that reported the issue:

-Log Details-
Protection Event Date: 10/17/20
Protection Event Time: 9:01 AM
Log File: d5719e54-1078-11eb-b9ec-b42e99a94455.json

-Software Information-
Version: 4.2.1.89
Components Version: 1.0.1061
Update Package Version: 1.0.31506
License: Premium

-System Information-
OS: Windows 10 (Build 18362.1139)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Program Files\Common Files\Macrovision Shared\FlexNet Publisher\FNPLicensingService64.exe, Blocked, -1, -1, 0.0.0, ,

-Website Data-
Category: Trojan
Domain:
IP Address: 169.254.169.254
Port: 80
Type: Outbound
File: C:\Program Files\Common Files\Macrovision Shared\FlexNet Publisher\FNPLicensingService64.exe

(end)

Thanks

Link to post
Share on other sites

Likely within the hour if not sooner, depending on how long it takes them to write the correction into the database and for the new database to be disseminated through the content delivery network.

  • Thanks 1
Link to post
Share on other sites

To settle my own curiosity, has the team determined the root cause of the issue?

I have many programs that utilize FlexNet Licensing, which from a cursory glance, appears to be the only application pushing traffic on 169.254.169.254:80 on my machine.

Link to post
Share on other sites

I don't know for certain, however based on the posts from the member of Research, my guess would be that it was some sort of heuristic rule used for blocking multiple known malicious sites/servers, and this particular safe server was caught in the crossfire.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.