cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

ATA v1.9 - suspicion of identity theft reported after OS upgrade

Binu Wariyar
Copper Contributor

‎Nov 04 2019 12:36 PM

‎Nov 04 2019 12:36 PM

ATA v1.9 - suspicion of identity theft reported after OS upgrade

After a workstation gets an operating system upgrade to windows 10 Enterprise I see reports of "suspicions of identity theft" for the userid logged in to the workstation in the ATA Timeline.  When I look at the timeline in ATA for the userid I see the workstation contact 20 other machines in the local area.  My suspicion is that the Windows 10 Enterprise workstation is contacting other machines in the local area to allow downloads to other PCs as part of the Delivery Optimization in Windows Update's service.  (See Settings | Type "Windows Update" in the "Find a setting" text box | Delivery Optimization | "Allow downloads from other PCs" is set to On for "PCs on my local network". ) I suspect ATA misinterprets this as an attempt at identity theft.

 

Has anyone else seen this behavior from ATA?

788 Views
0 Likes
2 Replies
Reply
2 Replies
Eli Ofek

‎Nov 06 2019 11:23 AM - edited ‎Nov 07 2019 04:28 AM

‎Nov 06 2019 11:23 AM - edited ‎Nov 07 2019 04:28 AM

Re: ATA v1.9 - suspicion of identity theft reported after OS upgrade

@Binu Wariyar , We got several similar reports in the past.

In all of them the delivery optimization was a suspect, but we checked with the delivery optimization team the internals of how it works, and got to the conclusion that it's not what is triggering the alert.

 

There is something else going on for SOME customers during the upgrade, If  I am not mistaken, the traffic is via CIFS , but from the reports we got so far, we could not figure out what was the exact operation that happens for those customers during the upgrade that created this CIFS traffic.

0 Likes
Reply
Binu Wariyar

‎Nov 06 2019 11:38 AM

‎Nov 06 2019 11:38 AM

Re: ATA v1.9 - suspicion of identity theft reported after OS upgrade

@Eli Ofek 

 

Thanks, Eli.  You're right that ATA reports it is CIFS traffic.  We haven't been able to identify anything either, suspicious or otherwise, that would trigger this traffic.  We will continue to monitor these workstations to see if a pattern emerges that we can report to your team.

1 Like
Reply