Forum Discussion
ET DELETED TinyPE Binary - Possibly Hostile and ET MALWARE VMProtect Packed Binary in windows update
I have a firewall rule, which is blocking communication from 151.101.126.172 to my local windows 10 machine, under category "ET DELETED TinyPE Binary - Possibly Hostile" ( and hence windows updates stuck at 0% downloading)
How to get dynamic list of authorized ip's which must have to connect with my windows machine while window update?
I don't want to disable the rule for all the sources ip's.
Next Updates:
Update 1:
++ 184.150.163.24 , 184.150.163.51, 72.21.81.240 and 23.223.17.204 as source of similar traffic (ET DELETED TinyPE Binary - Possibly Hostile)
Update 2:
If the rule in original post is allowed to proceed ( converted from drop to alert only), next happens is:
ET MALWARE VMProtect Packed Binary Inbound via HTTP - Likely Hostile
from sources:
151.101.126.172
206.248.168.171
206.248.168.170
72.21.81.200
23.55.235.184
23.54.161.96
217.20.48.34
217.20.50.41
217.20.63.35
217.20.50.98
23.220.246.53
199.232.210.172
Update 3:
This time 151.101.126.172 came back with DELETED BACKDOOR ykw v375 runtime detection
Update 4:
1. downloaded kb5039211 CUMULATIVE from link shared by Carly_Amanda in comments below > 650 MB (682,618,570 bytes)
2. Went to windows Updates on my pc
3. Paused Update for 7 days
4. disconnected internet
5. Then View Update History > Uninstall updates.
6.Right click on each update:
Uninstall all which I could including KB5039211 and beyond [restarted where asked for] Some did not have uninstall option, so left them as is. Generally Service Stack and feature updates did not have uninstall option.
7. installed kb5039211 CUMULATIVE from step 1 above.
9. twice restart.
10. resume updates and let it compensate for step 6.
Got message We couldn't check for updates, because you aren't connected to the Internet. Make sure you have a cellular data or Wi-Fi connection and try again.
11. connected internet
12. Clicked retry to step 10. This time it downloaded bunch of updates.
Still got "DELETED BACKDOOR ykw v375 runtime detection" and "ET DELETED TinyPE Binary - Possibly Hostile" alerts from 151.101.126.172
My issue is why 151.101.126.172 is trying to connect to my machine. If it needs to, then why it is not clearly mentioned in the updates prerequisites.
My wild guess at this point of time is 151.101.126.172 is part of some sort of caching server network, which try to bring all the users who take updates from them, in their network.
Might be the ports it try to reach on my local are used by 151.101.126.172 when they respond to cached update package request.
If the response were ok as they expect, they will bring my machine in their network so that I might be hosting the updates for others.
Update 5:
For Windows Updates to work properly on home windows 10, without a WSUS server (which is most common for home machines), I had to downgrade from drop to alert only for these rules under manual entries, which is I believe a security risk opening unintentional doors to hackers:
snort_vrt.file-executable.rules > policy-violation > FILE-EXECUTABLE download of executable content [ Signature Id 11192]
snort_vrt.file-executable.rules > policy-violation > FILE-EXECUTABLE Portable Executable binary file magic detected [Signature Id 15306]
snort_vrt.malware-cnc.rules > trojan-activity > MALWARE-CNC DNS Fast Flux attempt > [Signature Id 57756]
emerging-policy.rules > policy-violation > ET POLICY External Windows Update in Progress > [Signature Id 2002948]
emerging-policy.rules > policy-violation > ET POLICY Windows Update in Progress [Signature Id 2002949]
emerging-policy.rules > policy-violation > ET POLICY exe download via HTTP - Informational > [Signature Id 2003595]
emerging-policy.rules > policy-violation > ET POLICY Binary Download Smaller than 1 MB Likely Hostile > [ Signature Id 2007671]
References:
https://github.com/jpalanco/alienvault-ossim/blob/master/suricata-rules-default-open/rules/1.3.1/emerging.rules/emerging-policy.rules
https://www.snort.org/rule_docs/1-11192
This was in addition to (using global policies), [ for class types command-and-control, credential-theft, exploit-kit, misc-attack, network-scan, policy-violation, trojan-activity, web-application-attack]:
1. Rulesets given below marked higher priority (5) for alert only than the second (means, if for above eight classes, if rule source is below two rulesets, then alert only, as second policy below with lower priority will block otherwise]
emerging-deleted.rules, snort_vrt.deleted.rules
2. Rulesets blank (means all) with lower priority (10) marked for drop for eight classes used exactly same in the other policy.