Yandex browser discussion (Split Thread)

Will you use the Yandex browser after reading this article?

  • Yes

    Votes: 1 11.1%
  • No

    Votes: 7 77.8%
  • Maybe

    Votes: 1 11.1%

  • Total voters
    9
  • Poll closed .
Status
Not open for further replies.

Predrag Radjenovic

Level 2
Verified
Apr 16, 2016
78
Can you tell me where does Yandex connects to upon start up? Does it connects to Google?

Thanks

As much as I can see, no, at least not with the start page set at yandex search... In the attachment are the startup connections that I can see, but perhaps a more thorough analysis is needed. If someone's willing to check in detail, it'd be nice to know.
 

Attachments

  • yandex-startup.png
    yandex-startup.png
    37.2 KB · Views: 1,360

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
As much as I can see, no, at least not with the start page set at yandex search... In the attachment are the startup connections that I can see, but perhaps a more thorough analysis is needed. If someone's willing to check in detail, it'd be nice to know.
Can you attach the remote address connections? It is from there that you can tell where Yandex on start up connects to
 
  • Like
Reactions: AtlBo

Predrag Radjenovic

Level 2
Verified
Apr 16, 2016
78
Thanks for the read, interesting. I flew over it as I'm at work now, waiting for something to render... I can only conclude (time and time again and again and again) that everyone is corrupt and we can rely only to ourselves to protect, and not on any single entity...

Anyway, I logged the connections made from starting up Yandex - see if anything stands out:

Event Time Event Remote Address Remote Host Name
21.11.2017. 11.24.50 Open 77.88.21.232 sba.search.yandex.net
21.11.2017. 11.24.50 Open 213.180.193.82 api.browser.yandex.ru
21.11.2017. 11.24.51 Open 93.158.134.82 api.browser.yandex.ru
21.11.2017. 11.24.51 Open 93.158.134.82 api.browser.yandex.ru
21.11.2017. 11.24.51 Open 64.233.162.106 li-in-f106.1e100.net
21.11.2017. 11.24.51 Open 194.177.22.167 194-177-22-167.flops.ru
21.11.2017. 11.24.52 Open 213.180.204.194 translate.yandex.net
21.11.2017. 11.24.57 Open 5.45.205.235 cdn.yandex.net
21.11.2017. 11.24.57 Open 5.45.205.235 cdn.yandex.net
21.11.2017. 11.24.57 Open 5.45.205.235 cdn.yandex.net
21.11.2017. 11.24.57 Open 5.45.205.235 cdn.yandex.net
21.11.2017. 11.24.57 Open 5.45.247.13 cache-ams05.cdn.yandex.net
21.11.2017. 11.24.57 Open 5.45.247.13 cache-ams05.cdn.yandex.net
21.11.2017. 11.24.57 Open 5.45.247.13 cache-ams05.cdn.yandex.net
21.11.2017. 11.24.57 Open 5.45.247.11 cache-ams03.cdn.yandex.net
21.11.2017. 11.24.58 Open 77.88.21.232 sba.search.yandex.net
21.11.2017. 11.24.59 Open 77.88.21.237 webzen.stable.qloud-b.yandex.net
21.11.2017. 11.25.02 Close 5.45.205.235 cdn.yandex.net
21.11.2017. 11.25.02 Close 5.45.205.235 cdn.yandex.net
21.11.2017. 11.25.02 Close 5.45.205.235 cdn.yandex.net
21.11.2017. 11.25.02 Close 5.45.205.235 cdn.yandex.net
21.11.2017. 11.25.12 Close 5.45.247.13 cache-ams05.cdn.yandex.net
21.11.2017. 11.25.12 Close 5.45.247.13 cache-ams05.cdn.yandex.net
21.11.2017. 11.25.12 Close 5.45.247.13 cache-ams05.cdn.yandex.net
21.11.2017. 11.25.13 Close 5.45.247.11 cache-ams03.cdn.yandex.net
21.11.2017. 11.25.19 Open 87.250.250.55 browser-storage-proxy.stable.qloud-b.yandex.net
21.11.2017. 11.26.02 Close 194.177.22.167 194-177-22-167.flops.ru
21.11.2017. 11.26.51 Close 213.180.193.82 api.browser.yandex.ru
21.11.2017. 11.26.51 Close 93.158.134.82 api.browser.yandex.ru
21.11.2017. 11.26.51 Close 93.158.134.82 api.browser.yandex.ru
21.11.2017. 11.26.52 Close 213.180.204.194 translate.yandex.net
21.11.2017. 11.26.59 Close 77.88.21.237 webzen.stable.qloud-b.yandex.net
21.11.2017. 11.27.19 Close 87.250.250.55 browser-storage-proxy.stable.qloud-b.yandex.net
21.11.2017. 11.28.51 Close 64.233.162.106 li-in-f106.1e100.net
21.11.2017. 11.29.49 Open 213.180.204.82 api.browser.yandex.ru
21.11.2017. 11.29.49 Open 213.180.204.82 api.browser.yandex.ru
21.11.2017. 11.29.49 Open 213.180.204.82 api.browser.yandex.ru
21.11.2017. 11.29.49 Open 213.180.204.82 api.browser.yandex.ru
21.11.2017. 11.29.49 Open 213.180.204.82 api.browser.yandex.ru
21.11.2017. 11.29.49 Open 213.180.204.82 api.browser.yandex.ru

EDIT: I should mention that I wasn't touching the browser during the logging time...
EDIT2: Indeed there is a Google connection made, at 64.233... but that was a last closed page from previous session.
 
Last edited:

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
Thanks for the read, interesting. I flew over it as I'm at work now, waiting for something to render... I can only conclude (time and time again and again and again) that everyone is corrupt and we can rely only to ourselves to protect, and not on any single entity...

Anyway, I logged the connections made from starting up Yandex - see if anything stands out:

Event Time Event Remote Address Remote Host Name
21.11.2017. 11.24.50 Open 77.88.21.232 sba.search.yandex.net
21.11.2017. 11.24.50 Open 213.180.193.82 api.browser.yandex.ru
21.11.2017. 11.24.51 Open 93.158.134.82 api.browser.yandex.ru
21.11.2017. 11.24.51 Open 93.158.134.82 api.browser.yandex.ru
21.11.2017. 11.24.51 Open 64.233.162.106 li-in-f106.1e100.net
21.11.2017. 11.24.51 Open 194.177.22.167 194-177-22-167.flops.ru
21.11.2017. 11.24.52 Open 213.180.204.194 translate.yandex.net
21.11.2017. 11.24.57 Open 5.45.205.235 cdn.yandex.net
21.11.2017. 11.24.57 Open 5.45.205.235 cdn.yandex.net
21.11.2017. 11.24.57 Open 5.45.205.235 cdn.yandex.net
21.11.2017. 11.24.57 Open 5.45.205.235 cdn.yandex.net
21.11.2017. 11.24.57 Open 5.45.247.13 cache-ams05.cdn.yandex.net
21.11.2017. 11.24.57 Open 5.45.247.13 cache-ams05.cdn.yandex.net
21.11.2017. 11.24.57 Open 5.45.247.13 cache-ams05.cdn.yandex.net
21.11.2017. 11.24.57 Open 5.45.247.11 cache-ams03.cdn.yandex.net
21.11.2017. 11.24.58 Open 77.88.21.232 sba.search.yandex.net
21.11.2017. 11.24.59 Open 77.88.21.237 webzen.stable.qloud-b.yandex.net
21.11.2017. 11.25.02 Close 5.45.205.235 cdn.yandex.net
21.11.2017. 11.25.02 Close 5.45.205.235 cdn.yandex.net
21.11.2017. 11.25.02 Close 5.45.205.235 cdn.yandex.net
21.11.2017. 11.25.02 Close 5.45.205.235 cdn.yandex.net
21.11.2017. 11.25.12 Close 5.45.247.13 cache-ams05.cdn.yandex.net
21.11.2017. 11.25.12 Close 5.45.247.13 cache-ams05.cdn.yandex.net
21.11.2017. 11.25.12 Close 5.45.247.13 cache-ams05.cdn.yandex.net
21.11.2017. 11.25.13 Close 5.45.247.11 cache-ams03.cdn.yandex.net
21.11.2017. 11.25.19 Open 87.250.250.55 browser-storage-proxy.stable.qloud-b.yandex.net
21.11.2017. 11.26.02 Close 194.177.22.167 194-177-22-167.flops.ru
21.11.2017. 11.26.51 Close 213.180.193.82 api.browser.yandex.ru
21.11.2017. 11.26.51 Close 93.158.134.82 api.browser.yandex.ru
21.11.2017. 11.26.51 Close 93.158.134.82 api.browser.yandex.ru
21.11.2017. 11.26.52 Close 213.180.204.194 translate.yandex.net
21.11.2017. 11.26.59 Close 77.88.21.237 webzen.stable.qloud-b.yandex.net
21.11.2017. 11.27.19 Close 87.250.250.55 browser-storage-proxy.stable.qloud-b.yandex.net
21.11.2017. 11.28.51 Close 64.233.162.106 li-in-f106.1e100.net
21.11.2017. 11.29.49 Open 213.180.204.82 api.browser.yandex.ru
21.11.2017. 11.29.49 Open 213.180.204.82 api.browser.yandex.ru
21.11.2017. 11.29.49 Open 213.180.204.82 api.browser.yandex.ru
21.11.2017. 11.29.49 Open 213.180.204.82 api.browser.yandex.ru
21.11.2017. 11.29.49 Open 213.180.204.82 api.browser.yandex.ru
21.11.2017. 11.29.49 Open 213.180.204.82 api.browser.yandex.ru

EDIT: I should mention that I wasn't touching the browser during the logging time...
EDIT2: Indeed there is a Google connection made, at 64.233... but that was a last closed page from previous session.
Ok, so nothing connects to Google then for I thought it might since it's a Chromium-based browser. Many Chromium-based browsers do connect to Google

Thanks
 

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,452
Anyway, I logged the connections made from starting up Yandex - see if anything stands out:
Yes, most of those are related to network services, like Opera Turbo, suggestions, etc.
capture_11212017_163410.jpg capture_11212017_163426.jpg

I have got those connections with extensions disabled and firewall off. 5222/8 is Yandex sync.
capture_11212017_164106.jpg
 
Last edited:

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
Yes, most of those are related to network services, like Opera Turbo, suggestions, etc.
View attachment 174045 View attachment 174046

I have got those connections with extensions disabled and firewall off. 5222/8 is Yandex sync.
View attachment 174044

My rules:
Code:
netsh advfirewall firewall add rule name="Yandex DNS" dir=out action=allow protocol=UDP remoteip=84.200.69.80,84.200.70.40 remoteport=53 program="%LocalAppData%\Yandex\YandexBrowser\Application\browser.exe"
netsh advfirewall firewall add rule name="Yandex DNSS" dir=out action=allow protocol=TCP remoteip=208.67.220.123,208.67.222.123 remoteport=443 program="%LocalAppData%\Yandex\YandexBrowser\Application\browser.exe"
netsh advfirewall firewall add rule name="Yandex TCP" dir=out action=allow protocol=TCP remoteport=80,443,5222,5228 program="%LocalAppData%\Yandex\YandexBrowser\Application\browser.exe"
I'm seeing 74.125.206.188 in the middle diagram

This address belongs to Google

74.125.206.188 - Google - iphostinfo.com
 

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,452
I'm seeing 74.125.206.188 in the middle diagram

This address belongs to Google
Wow. All I can say is thank you, I have missed that one. Thus far it looks, it is not required by sync at all. When I was googling for it, I had found mentioned, that it is required by Google Sync and I had sort of ignored the difference. :oops: Yandex mentions only 443/5222. I have removed the port and it is all clean now. ;)
capture_11212017_180339.jpg

I have also found this: Chromium is trying to connect to 74.125.133.188 on port 5228 / Networking, Server, and Protection / Arch Linux Forums

Changed my rules accordingly, allowed 5222 only to Yandex. Thanks again. (y)

Code:
netsh advfirewall firewall add rule name="Yandex Sync" dir=out action=allow protocol=TCP remoteip=213.180.193.0-213.180.193.255 remoteport=443,5222 program="%LocalAppData%\Yandex\YandexBrowser\Application\browser.exe"
netsh advfirewall firewall add rule name="Yandex TCP" dir=out action=allow protocol=TCP remoteport=80,443 program="%LocalAppData%\Yandex\YandexBrowser\Application\browser.exe"
 
Last edited:

Proteus

New Member
Nov 28, 2017
1
Has no one else noticed that it tries to re-direct to "troviDOTcom" when using the address bar to search? I used this browser for a long while until I noticed this months ago. Even tweeted at them a few times and got nothing. I have no malware on my pc by the way. I thought for sure at least someone would have mentioned this on here. I can't find any one else even talking about this.

Edit: Of course as I typed this up someone did mention this and noticed it's only when using Bing (which I use) for default browser. The search string is set to go through trovi...what in the hell?
 
  • Like
Reactions: AtlBo

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,452
Has no one else noticed that it tries to re-direct to "troviDOTcom" when using the address bar to search?
It looks to be normal for Opera based browsers, this is from Vivaldi.

Vivaldi.rocks — search partnership • r/vivaldibrowser

You can add Bing yourself, it can not be used as default, but it works when you use a keyword, like:

capture_11292017_100314.jpg

Or us an extensions, like Bing Search


is this browser support from google chrome add-ones ??
Most Chrome addons work, but it is better to use Opera version, when possible.
 

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,452

Attachments

  • capture_12062017_112759.jpg
    capture_12062017_112759.jpg
    133 KB · Views: 1,048

Sunshine-boy

Level 28
Verified
Top Poster
Well-known
Apr 1, 2017
1,759

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
Here:Browser Privacy - Test IP address, DNS, VPN leaks. Fast & no ads. Protect your online privacy.
This test shows if your DNS is secured with DNSSEC or no! I checked all of them and many of them didnt pass the DNSSEC test!im using:
Down resolver Russia 01!its fast!also secure with DNSSEC! open DNS isn't secure!same for Yandex DNS!
Have you tried the servers from the below lists for DNSSEC testing

List of Public DNS Servers [wiki.ipfire.org]

dnscrypt-proxy/dnscrypt-resolvers.csv at master · jedisct1/dnscrypt-proxy · GitHub
 

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,452
DNSSEC is a nice addition to DNS security, but it is overrated, since it can be easily bypassed.- recdnsfp by recdnsfp

Well then, version 17.11 has also introduced an exe, which runs nonstop doing something and as if that was not bad enough, it does it without my permission and it does not actually do anything, it is disabled. I might have overlook it, if it was up only when the browser is opened, but when I close the browser, I expect it to be closed along with everything related to it (like steam service does), thus the reason, I have unchecked "Allow background processes to run when the browser is closed".

capture_12062017_232205.jpg capture_12062017_232635.jpg capture_12062017_233105.jpg

EDIT: OK, it is just the service, which can be disabled, still not happy about it. Yandex is testing my patience, again and again, maybe it is time for a change. :cautious:
 
Last edited:
  • Like
Reactions: Sunshine-boy

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,452
So Yandex Browser Protect can be actually uninstalled, so I have got a panic attack for no reason.
Still, the installer could have asked. When I first noticed ycs.exe, I thought, that I was infected by malware.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
So Yandex Browser Protect can be actually uninstalled, so I have got a panic attack for no reason.
Still, the installer could have asked. When I first noticed ycs.exe, I thought, that I was infected by malware.
Yeah, I can't figure that out. The protect file is in program files, but the browser itself is in appdata.
Why do programs these days install themselves in appdata? What are the advantages?
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top