This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 40%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDH%3C/text%3E%3C/svg%3E)
Dear Team,
For the past few days, I have been facing the following issue with windows updates on 2 machines.
The machines are connecting to the following site [legitimate, as it seems] for updates: [http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?]
However, I get AV detections that the connections to this site are basically connections to the suspicious IP:
Remote IP 175.4.51.35
Remote Port 80
This IP belongs to China Telecom, as can be viewed in
https://whois.domaintools.com/175.4.51.35 and is of mixed reputation reviews.
I checked DNS, WUSUS. All good.
One of the 2 machines, was disconnected from the Internet and still connected to same http and Chinese IP.
I cannot really explain this. Your feedback would be appreciated.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 44%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPY%3C/text%3E%3C/svg%3E)
Even I have a similar question.
The machines were updated with six Chinese IPs, which belonged to China Unicom China169 Backbone and Shenzhen Tencent Computer Systems Company Limited. However, the domains resolved to various names when I did an iplookup.
I even check in abuseipdb but there were no abuse reports there.