We've started getting alerts from Cisco Firewalls, Cisco AMP clients related to Microsoft webservices, msedge.b.tlu.dl.delivery.mp.microsoft.com, http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disa, http://9.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/cadae296-3389-40c2-b927-605f7b399b78&#63 ;P1=1681513528&, behind malicious IP. Can Microsoft check if they services behind 209.197.3.8 are safe. These are logs from Cisco firewalls. We are getting these alerts for all our customers. Connection Type: FireSIGHT SI Category: Malware 192.168.1.2:55213 (unknown) -> 209.197.3.8:80 (united states) (tcp) Domain: Global

Dump that useless Cisco crap. Anyone with that bad of an operations group that they can't understand the information I provided to you regarding the fact these signature detections are occurring within portions of the Microsoft Edge browser updates is obviously not worth paying for their 'protection'. On top of that the Microsoft document I referenced about this IP address in my first post above indicates that these are official Microsoft servers, so the idea these are 'shared' IPs with anyone outside Microsoft is ludicrous. In fact, it's more likely that they are operating from a [possibly 3rd-party] CDN, since virtually all Microsoft update services have been operating in this way for decades now, so that's possibly why a less than knowledgeable technical group might misunderstand these IPS as 'shared'. I spent 20 years as a network administrator and the rest of my career a security professional in engineering education, Whitebox manufacturing and 3rd-party security firms, often dealing with similar issues myself with the antivirus and firewall security app portions of 3rd-party vendors. These products are notorious for detecting the signatures from other products and occasionally even their own as the malware they are intended to detect, since obviously the industry practice of sharing malware signature data between providers means they'll detect each other's signature packs when not obfuscated. I learned long ago to either disable these firewall-based antivirus products or be prepared to spend lots of time chasing ghosts, since at the time whitelisting individual source IPs was difficult if not impossible. It's up to you how you choose to deal with this, but Microsoft has nothing to 'fix', since the problem is with another company's product that's doing an obviously stupid thing, since literally millions of Microsoft Edge installations around the world are receiving exactly the same malware detection packs and having no difficulty with their delivery or we'd be seeing many thousands of such reports from other 3rd-party product users here as well. Try to think logically, which scenario actually makes sense? And for future reference, you're posting in a Microsoft Community forum for consumers that typically doesn't try to handle such questions, since to most volunteers and contractors helping here these commercial issues are outside their areas of expertise. I just answered the initial post since as a past admin/security professional, the true issue was obvious. However, I'll now direct you instead to the Microsoft Learn - Q&A forums where you should be posting instead, so all of the administrators and other professionals there can tell you the same things I already have. Questions - Microsoft Q&A Related note: I just did a search and though it isn't related to this particular Microsoft server, someone posted at the Cisco Community with a similar issue of false detections on both Adobe and Eset servers. Please note that the answer from a Cisco Community VIP Advisor was to create a list of whitelisted URL not to perform inspection on, including those like Microsoft Apple, Cisco, Adobe, etc. Might want to post your query there as well, since those are people truly in the field, not some back-room at a vendor. IPS False positives on Malware signatures - Cisco Community Rob

That's a known, published Microsoft Edge update server that devices performing malware scanning of downloads can sometimes trigger on, since these updates can include strings or signatures within them that 3rd-party security products may also detect as malicious. The following excerpt and URL provide a list of these servers and suggest adding these to allow lists, or in your case as exceptions to malware scanning, since these sorts of false positive detections can always occur when such downloads contain similar signature packs relating to malicious code. "Locations Microsoft Edge can be downloaded from during an initial install or when an update is available. The download location is determined by the Update Service." Allow list for Microsoft Edge endpoints | Microsoft Learn Rob

Cisco support had been informed about these events. Support had escalated case to Talos team. This was the Talos answer: "This appears to be a shared IP address. It's possible that this IP address is used for legitimate services, however it is likely getting abused by malicious actors. This IP address was exhibiting signs of malicious activity and was thereby added to the Talos blocklist". This is something that Microsoft needs to deal with.

We're seeing malware today (htm email attachments with obfuscated javascript) that spins up a chrome browser, impersonates M365 logins to act as a man-in-the middle password capture. It grabs resources from the Microsoft servers as part of it's behaviour, including communicating with this HWCDN ip 209.197.3.8. Submitted to virustotal, Microsoft, others Only Kaspersky and Zonealarm currently report it as a trojan on Virustotal. (Any chance of a easy way to quarantine all "script" & "input" containing html email and attachments, Microsoft?)

Thanks Rob, Cisco submitted a ticket with Talos team. We are waitning response from them. Marko

Are Microsoft webservices safe behind next public IP 209.197.3.8?

Anonymous

We've started getting alerts from Cisco Firewalls, Cisco AMP clients related to Microsoft webservices, msedge.b.tlu.dl.delivery.mp.microsoft.com, http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disa, http://9.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/cadae296-3389-40c2-b927-605f7b399b78?P1=1681513528&, behind malicious IP.

Can Microsoft check if they services behind 209.197.3.8 are safe.

These are logs from Cisco firewalls. We are getting these alerts for all our customers.

Connection Type: FireSIGHT SI Category: Malware 192.168.1.2:55213 (unknown) -> 209.197.3.8:80 (united states) (tcp) Domain: Global

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

11 answers

Rob Koch 25,875 Reputation points Volunteer Moderator

2023-07-29T18:45:27+00:00

Dump that useless Cisco crap.

Anyone with that bad of an operations group that they can't understand the information I provided to you regarding the fact these signature detections are occurring within portions of the Microsoft Edge browser updates is obviously not worth paying for their 'protection'.

On top of that the Microsoft document I referenced about this IP address in my first post above indicates that these are official Microsoft servers, so the idea these are 'shared' IPs with anyone outside Microsoft is ludicrous. In fact, it's more likely that they are operating from a [possibly 3rd-party] CDN, since virtually all Microsoft update services have been operating in this way for decades now, so that's possibly why a less than knowledgeable technical group might misunderstand these IPS as 'shared'.

I spent 20 years as a network administrator and the rest of my career a security professional in engineering education, Whitebox manufacturing and 3rd-party security firms, often dealing with similar issues myself with the antivirus and firewall security app portions of 3rd-party vendors.

These products are notorious for detecting the signatures from other products and occasionally even their own as the malware they are intended to detect, since obviously the industry practice of sharing malware signature data between providers means they'll detect each other's signature packs when not obfuscated.

I learned long ago to either disable these firewall-based antivirus products or be prepared to spend lots of time chasing ghosts, since at the time whitelisting individual source IPs was difficult if not impossible.

It's up to you how you choose to deal with this, but Microsoft has nothing to 'fix', since the problem is with another company's product that's doing an obviously stupid thing, since literally millions of Microsoft Edge installations around the world are receiving exactly the same malware detection packs and having no difficulty with their delivery or we'd be seeing many thousands of such reports from other 3rd-party product users here as well.

Try to think logically, which scenario actually makes sense?

And for future reference, you're posting in a Microsoft Community forum for consumers that typically doesn't try to handle such questions, since to most volunteers and contractors helping here these commercial issues are outside their areas of expertise. I just answered the initial post since as a past admin/security professional, the true issue was obvious.

However, I'll now direct you instead to the Microsoft Learn - Q&A forums where you should be posting instead, so all of the administrators and other professionals there can tell you the same things I already have.

Questions - Microsoft Q&A

Related note: I just did a search and though it isn't related to this particular Microsoft server, someone posted at the Cisco Community with a similar issue of false detections on both Adobe and Eset servers. Please note that the answer from a Cisco Community VIP Advisor was to create a list of whitelisted URL not to perform inspection on, including those like Microsoft Apple, Cisco, Adobe, etc. Might want to post your query there as well, since those are people truly in the field, not some back-room at a vendor.

IPS False positives on Malware signatures - Cisco Community

Rob
Please sign in to rate this answer.

2 people found this answer helpful.

0 comments No comments
Rob Koch 25,875 Reputation points Volunteer Moderator

2023-05-09T20:26:02+00:00

That's a known, published Microsoft Edge update server that devices performing malware scanning of downloads can sometimes trigger on, since these updates can include strings or signatures within them that 3rd-party security products may also detect as malicious.

The following excerpt and URL provide a list of these servers and suggest adding these to allow lists, or in your case as exceptions to malware scanning, since these sorts of false positive detections can always occur when such downloads contain similar signature packs relating to malicious code.

"Locations Microsoft Edge can be downloaded from during an initial install or when an update is available. The download location is determined by the Update Service."

Allow list for Microsoft Edge endpoints | Microsoft Learn

Rob
Please sign in to rate this answer.

2 people found this answer helpful.

0 comments No comments
Anonymous

2023-07-29T12:17:24+00:00

Cisco support had been informed about these events.

Support had escalated case to Talos team.

This was the Talos answer:

"This appears to be a shared IP address. It's possible that this IP address is used for legitimate services, however it is likely getting abused by malicious actors. This IP address was exhibiting signs of malicious activity and was thereby added to the Talos blocklist".

This is something that Microsoft needs to deal with.
Please sign in to rate this answer.

1 person found this answer helpful.

0 comments No comments
Anonymous

2023-07-29T11:45:02+00:00

We're seeing malware today

(htm email attachments with obfuscated javascript) that spins up a chrome browser, impersonates M365 logins to act as a man-in-the middle password capture.

It grabs resources from the Microsoft servers as part of it's behaviour, including communicating with this HWCDN ip 209.197.3.8.

Submitted to virustotal, Microsoft, others

Only Kaspersky and Zonealarm currently report it as a trojan on Virustotal.

(Any chance of a easy way to quarantine all "script" & "input" containing html email and attachments, Microsoft?)
Please sign in to rate this answer.

1 person found this answer helpful.

0 comments No comments
Anonymous

2023-05-10T07:32:57+00:00

Thanks Rob,

Cisco submitted a ticket with Talos team. We are waitning response from them.

Marko
Please sign in to rate this answer.

0 comments No comments

Share via

Are Microsoft webservices safe behind next public IP 209.197.3.8?

11 answers