2014-04-02, 23:13 PM

Wanted to add to this thread as it's the only one that I actually found where others are seeing this issue - it's solved if you uninstall as others stated.



But here's a better insight on what EXACTLY is happening - hopefully maybe someone from Lenovo will see this and raise a flag (fat chance on a "Community" forum but you never know)

So.... Just worked on an issue that this piece of CrapWare/Bloatware called LenovoEMC Storage Connector AKA Discover.EXE was causing.

Stuff like this is great for my business but I feel sorry for those that don't know what the heck is going on.

In all honesty this has to be the worst (no joke, dead serious) piece of code that I have ever seen and I've been doing network enigeering for well over 25+ years.

I'll describe what this Discover.exe process is doing, though It's obvious by name what this service does, it goes about doing it in a truely amazing way. It must have been written by a half-witted, I have no idea what I'm doing programmer and how it got out of QA is beyone me. Some entity really needs to have their credentials checked.

It's an auto discovery process that I assume is supposed to go out and find any LenovoEMC Network Storage devices that MAYBE connected to your network.

But their seems to be a bug, or if that isn't the case, it's seriously flawed, if this was truely the intention of the programmers on how it was designed to do such.

The code seriously needs to be patched and it needed to be patched yesterday, especially since it's installed on new equipment without most users knowing what it's for or what it does. Vendors need to seriously stop installing their Bloatware, why is this installed on a new Lenovo Yoga Thinkpad? I can understand that if someone actually bought a LenovoEMC storage unit that this software would be included, but a Laptop? Why???

Well, a few days ago I get a call from a friend of mine that I have known for years who just started 6 months ago for a new company (Small 50+ person organization) where she is now managing a small group (3) internal IT folks and stated that her IT People are a wits end and that thier network for the past few weeks was having serious serious issues.

She stated it was obvious that it is something well above her staffs experince and beyond anything that they ever dealt with. She mentioned that prior to calling me, they did have a knowledgeable IT person that consulted for them for many years but sadly that person passed away and well it looked like he pretty much made it so he had job security. I have bailed her out many times in the past when we both worked for a larger organization, she knows that if it's going to get fixed and done right who to call.

First they thought their network issue was being caused byt their ISP but after working with them the ISP stated their end of the network is good, though they do see extreamly high bursts of outbound traffic followed by large bursts of inbound traffic. The ISP stated that perhaps some device within their network may have a virus but in general it's nothing to do with their physical connection to them.

My first line of approach, as anyone elses would be to resolve Network issues, is to place a packet sniffer (Wireshark.org) on the Network and capture everything. As stated her small IT staff had let a consultant do most of the work and they where never properly trained on how you setup a switch to mirror, or how a packet sniffer works.

For me, an easy task but I would had to travel to their business, but lucky for me I new I wouldn't have to be there for a long time as they stated that this event happens daily enough that If I just sat and waited I was sure to see it in action and that I did.

From what I saw this monitor.exe process will flood your network with Netbios Name Services (NBNS) packets not as a broadcast packet on your local network but as directed target packest to IP addresses off your network and it is an inordinate amount of IP Addresses at that.

Not only is the amount of targets that it's spamming large, the frames that are generated to do it are within milliseconds of each other. The application is Insatiable and Belegerent in trying to discover something.

If it's up and running it will be 98% of your traffic on the network, other devices can't get a packet in edgewise everything on your network will become unresponsive.

I witnessed their local router which normally responds to a ping within <1ms would sometimes never respond or if it actually did during this condition it would respond back >350ms or even higher.

Traceroutes to external IP's where even worse, DNS requests forwarded off their network to their ISP's DNS servers never where sent or recieved. To them it was the network is down, and we can't get to the internet.

Keep in mind what I said as well about the packets that are generated by this monitor.exe process because as I stated they are specifically directed to target IP's and not a local broadcast, unbelieavbly you may get a whole boat load of responses back if the other side didn't filter out MS Netbios Packets being directed to their network as well as ICMP unreachable/quleched/administratly filtered packets in response.

So let me post some screen shots with comments.

I'm sorry about the screen size but there is a size limit to attachments.

Here's the first screen shot of what was going on at the time they had network issues just to point out what I want you folks to look at.

Start taking note of the Frame No. the Time stamp as well as please Note the Destination Addresses - pay attention to the following screen shots after this and compare them to each other.

You'll be Shocked as much as I was - this process is sending Name Query NBSTAT frames over the internet to trageted IP ranges and big ranges at that and it appears to be sequential in order. I'll mask the IP's but you'll get the Idea.

Link to picture

Now look at the time and look at the destination address see the pattern.

Link to picture

Once again look below at the time and now look where we are for destination we have moved 1 second in time but it has pumped out a ton of Name Query NBSTAT frames. This is what you will see it's crazy! In general you will hardly see any other devices packets on the network as it's to busy catering to this piece of CrapWare.

Link to picture

Next screen shot - Again look at the time but pay particular attention to what happens to the destination when we reach out and hit x.x.255.255 you guessed it.

Link to picture

So when does it stop?? Look at this - Note the highligted entry and then look at what it does - seriously you have to be kidding me it's now going to throw ARP requests on the network because something responded. Granted when something does it actually stops what it's doing for a brief momement.

Link to picture

And, obvious that some networks on the internet respond to targeted NetBios frames - good idea to firewall these folks. It's also a good idea to stop them from leaving as well (more work for me here it looks like)

Some networks at least respond with ICMP unreachables

The Lenovo Yoga Here figured that what the heck since it's owning the network might as well try to get some of it's own packets out to do some work other then spam discovery requests.

Link to picture

Next note time again and destination for the next two screen shots - time moving along, range moving along faster.

Link to picture

Link to picture

Last, if you throw crap out on the internet I guess one should expect crap as a response.

Link to picture

Amazing Huh!! Seriously what is this discover.exe process trying to do!

Again why is Lenovo putting something like this on their laptops - my client didn't order a LenovoEMC Storage Unit with it. I can see this application LenovoEMC Storage Connector (monitor.exe) being supplied with one of their Storage units, but seriously it needs to be fixed PRONTO!

Hopefully me posting here will save someone a headache.

Personally my client ordered 40 more of these things, for all purposes I'm thinking about telling her to tell Lenovo thanks but no thanks.

Cheers Folks!!

I Recommend that you uninstall this application if you don't need it and if you do then you better have Lenovo take a look at it and fix it before it affects your own network.