Forum Discussion
BITS Downloading App updates from unknown endpoint
Hi - My IDS went off with the same alerts. I'm still looking into the root cause - will check for Store apps across my network. Thanks for starting this thread. Jason.
I found this - which appears to be a list of all the endpoints Windows 10 20H2 talks to ..
https://docs.microsoft.com/en-us/windows/privacy/manage-windows-20h2-endpoints
But if you read how they got this list, you realise Microsoft don't actually know all the endpoints they use - this was just someone in MS with a network scanner.
J.
<--
The following methodology was used to derive these network endpoints:
- Set up the latest version of Windows 10 on a test virtual machine using the default settings.
- Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device).
- Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
- Compile reports on traffic going to public IP addresses.
- The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
- All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
- These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
- These tests were conducted for one week, but if you capture traffic for longer you may have different results.
-->
- Maximilian DemajoOct 07, 2021Copper Contributor
JasonC2021 Thanks for checking this out. It appears that article does not contain any of the endpoints we are seeing, although it is dated. Unfortunate that they do not keep a complete list of contacted endpoints.
Have you noticed any further strange activity stemming from your devices since this started happening?
A bit worrying that I have not seen any further mention of these endpoints online
- RA_Howtwo2012Feb 17, 2023Copper Contributor
Maximilian Demajo We are seeing IPS triggered due to a “virus” coming from one of these CDN’s. Only a certain number of devices, random, and they are blocked from download a 3D viewer app update that doesn’t appear listed on the apps page (that version). I’m concerned this is similar to a solarwinds style attack and can’t believe Microsoft would allow it. These should be pushed updates, everything is turned off for auto well anything and delivery opt. Is off as well.