ATA v1.9 - suspicion of identity theft reported after OS upgrade

%3CLINGO-SUB%20id%3D%22lingo-sub-980265%22%20slang%3D%22en-US%22%3EATA%20v1.9%20-%20suspicion%20of%20identity%20theft%20reported%20after%20OS%20upgrade%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-980265%22%20slang%3D%22en-US%22%3E%3CP%3EAfter%20a%20workstation%20gets%20an%20operating%20system%20upgrade%20to%20windows%2010%20Enterprise%20I%20see%20reports%20of%20%22suspicions%20of%20identity%20theft%22%20for%20the%20userid%20logged%20in%20to%20the%20workstation%20in%20the%20ATA%20Timeline.%26nbsp%3B%20When%20I%20look%20at%20the%20timeline%20in%20ATA%20for%20the%20userid%20I%20see%20the%20workstation%20contact%2020%20other%20machines%20in%20the%20local%20area.%26nbsp%3B%20My%20suspicion%20is%20that%20the%20Windows%2010%20Enterprise%20workstation%20is%20contacting%20other%20machines%20in%20the%20local%20area%20to%20allow%20downloads%20to%20other%20PCs%20as%20part%20of%20the%20Delivery%20Optimization%20in%20Windows%20Update's%20service.%26nbsp%3B%20(See%20Settings%20%7C%20Type%20%22Windows%20Update%22%20in%20the%20%22Find%20a%20setting%22%20text%20box%20%7C%20Delivery%20Optimization%20%7C%20%22Allow%20downloads%20from%20other%20PCs%22%20is%20set%20to%20On%20for%20%22PCs%20on%20my%20local%20network%22.%20)%20I%20suspect%20ATA%20misinterprets%20this%20as%20an%20attempt%20at%20identity%20theft.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHas%20anyone%20else%20seen%20this%20behavior%20from%20ATA%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-989732%22%20slang%3D%22en-US%22%3ERe%3A%20ATA%20v1.9%20-%20suspicion%20of%20identity%20theft%20reported%20after%20OS%20upgrade%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-989732%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%20Eli.%26nbsp%3B%20You're%20right%20that%20ATA%20reports%20it%20is%20CIFS%20traffic.%26nbsp%3B%20We%20haven't%20been%20able%20to%20identify%20anything%20either%2C%20suspicious%20or%20otherwise%2C%20that%20would%20trigger%20this%20traffic.%26nbsp%3B%20We%20will%20continue%20to%20monitor%20these%20workstations%20to%20see%20if%20a%20pattern%20emerges%20that%20we%20can%20report%20to%20your%20team.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-989644%22%20slang%3D%22en-US%22%3ERe%3A%20ATA%20v1.9%20-%20suspicion%20of%20identity%20theft%20reported%20after%20OS%20upgrade%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-989644%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239606%22%20target%3D%22_blank%22%3E%40Binu%20Wariyar%3C%2FA%3E%26nbsp%3B%2C%20We%20got%20several%20similar%20reports%20in%20the%20past.%3C%2FP%3E%0A%3CP%3EIn%20all%20of%20them%20the%20delivery%20optimization%20was%20a%20suspect%2C%20but%20we%20checked%20with%20the%20delivery%20optimization%20team%20the%20internals%20of%20how%20it%20works%2C%20and%20got%20to%20the%20conclusion%20that%20it's%20not%20what%20is%20triggering%20the%20alert.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThere%20is%20something%20else%20going%20on%20for%20SOME%20customers%20during%20the%20upgrade%2C%20If%26nbsp%3B%20I%20am%20not%20mistaken%2C%20the%20traffic%20is%20via%20CIFS%20%2C%20but%20from%20the%20reports%20we%20got%20so%20far%2C%20we%20could%20not%20figure%20out%20what%20was%20the%20exact%20operation%20that%20happens%20for%20those%20customers%20during%20the%20upgrade%20that%20created%20this%20CIFS%20traffic.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

After a workstation gets an operating system upgrade to windows 10 Enterprise I see reports of "suspicions of identity theft" for the userid logged in to the workstation in the ATA Timeline.  When I look at the timeline in ATA for the userid I see the workstation contact 20 other machines in the local area.  My suspicion is that the Windows 10 Enterprise workstation is contacting other machines in the local area to allow downloads to other PCs as part of the Delivery Optimization in Windows Update's service.  (See Settings | Type "Windows Update" in the "Find a setting" text box | Delivery Optimization | "Allow downloads from other PCs" is set to On for "PCs on my local network". ) I suspect ATA misinterprets this as an attempt at identity theft.

 

Has anyone else seen this behavior from ATA?

2 Replies
Highlighted

@Binu Wariyar , We got several similar reports in the past.

In all of them the delivery optimization was a suspect, but we checked with the delivery optimization team the internals of how it works, and got to the conclusion that it's not what is triggering the alert.

 

There is something else going on for SOME customers during the upgrade, If  I am not mistaken, the traffic is via CIFS , but from the reports we got so far, we could not figure out what was the exact operation that happens for those customers during the upgrade that created this CIFS traffic.

Highlighted

@Eli Ofek 

 

Thanks, Eli.  You're right that ATA reports it is CIFS traffic.  We haven't been able to identify anything either, suspicious or otherwise, that would trigger this traffic.  We will continue to monitor these workstations to see if a pattern emerges that we can report to your team.