Reconnaissance Detected: Computer OS Fingerprint Probe originating from Azure 168.63.129.16

Dan Schneider 21 Reputation points
2021-12-22T16:06:22+00:00

The following warning is being generated from Trend Micro DSaaS in Azure:

Reconnaissance Detected: Computer OS Fingerprint Probe

Event: Computer OS Fingerprint Probe
Description: The computer at IP address 168.63.129.16 attempted a "fingerprint" probe in order to identify the operating system.

There is no Microsoft documentation regarding this activity as normal.

Is there a specific resource available regarding fingerprint probes being generated from Azure IP 168.63.129.16 ?

The only documentation available is https://learn.microsoft.com/en-us/azure/virtual-network/what-is-ip-address-168-63-129-16

Azure DNS
Azure DNS
An Azure service that enables hosting Domain Name System (DNS) domains in Azure.
775 questions
0 comments No comments
{count} votes

Accepted answer
  1. GitaraniSharma-MSFT 50,021 Reputation points Microsoft Employee Moderator
    2021-12-23T11:24:15.38+00:00

    Hello @Dan Schneider ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I checked internally and could find another customer who reported the same issue and below are the details for your reference:

    IP: 168.63.129.16 is an Azure wire Server IP and the below doc explains why it is used for.
    https://learn.microsoft.com/en-us/azure/virtual-network/what-is-ip-address-168-63-129-16
    One of the main components running by the IP address is Azure Guest agent.

    The Microsoft Azure Virtual Machine Agent (VM Agent) is a secure, lightweight process that manages virtual machine (VM) interaction with the Azure Fabric Controller. The guest agent will communicates with the Azure Fabric Controller continuously to share the status of your virtual machine.
    Below doc explains what is Guest Agent and what automatic logs are collected from the VM:
    https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/agent-windows#windows-guest-agent-automatic-logs-collection

    From the above 2 points, we can validate why the IP address attempted a probe to the VM and as the notification implies, the probe was to identify the operating system.

    We have also checked the TrendMicro document regarding this issue and you can find the below document explaining on the triggered alert on this incident.
    https://help.deepsecurity.trendmicro.com/10_1/aws/Events-Alerts/reconnaissance-detected.html#:~:text=Types%20of%20reconnaissance%20scans&text=Computer%20OS%20Fingerprint%20Probe%3A%20The,ratio%20of%20IPs%20to%20ports

    From the triggered notification,
    The incident level is Warning.
    The scan type is: Computer OS Fingerprint Probe: The agent or appliance detects an attempt to discover the computer's OS.

    It mentions that the IP attempted to identify the Operating System.

    Also, the document has the below suggested actions.

    When you receive a Reconnaissance Detected alert, double-click it to display more detailed information, including the IP address that is performing the scan. Then, you can try one of these suggested actions:

    The alert may be caused by a scan that is not malicious. If the IP address listed in the alert is known to you and the traffic is okay, you can add the IP address to the reconnaissance allow list

    If we check the Scope of the Wire Server IP, the communication between this special IP address and the resources is safe because only the internal Azure platform can source a message from this IP address.
    https://learn.microsoft.com/en-us/azure/virtual-network/what-is-ip-address-168-63-129-16#scope-of-ip-address-1686312916

    Per the suggested actions, you can authorize the Wire Server IP address in your tool. Because, if this address is blocked, unexpected behavior can occur in a variety of scenarios. 168.63.129.16 is a virtual IP of the host node and as such it is not subject to user defined routes.

    However, if you would like to do a deeper investigation on this issue, I request you file a support ticket, else please do let us know, we will try and help you get a one-time free technical support.

    Kindly let us know if the above helps or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.