This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 27%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKW%3C/text%3E%3C/svg%3E)
Not sure if Microsoft is aware but the CTLDL.windowsupdate.com/* (209.197.3.8) is being reported by several sites as being malicious.
Back in November 2021, we were trying to import an update directly into WSUS and it (the IP address) was being blocked by our Enterprise Firewall. I went off-network, downloaded the update, and deployed it afterward but it bugged me that it was being blocked.
Recently, we have been deploying office with zero-content with SCCM and only using the setup.exe and config file and allowing the endpoints to go direct to MS for the bits for the main content, and again, it's being blocked at that IP address.
My big question is "Is MS even aware they are using an IP address as part of their CDN that is a known scanning IP"?
Any update on this?
Without more info (as requested in my other response), not much can be said or done. Ultimately, the CDNs are not owned or operated by Microsoft so we need more information, including where you are seeing this as blacklisted, to be able to pursue this in any way.
is being reported by several sites as being malicious
Can you please expand on which sites exactly are reporting this?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 51%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHM%3C/text%3E%3C/svg%3E)
Hi Jason,
Greetings!
We have a similar issue, traffic from this IP is getting detected at our Meraki MX IDS/IPS for the snort rule - 'Microsoft wimgapi LoadIntegrityInfo heap buffer overflow attempt' which is based on CVE-2018-8210.
Passive DNS Replication suggests this IP was resolved to domains such as - *.au-msedge.net, *.delivery.mp.microsoft.com, *.trafficmanager.net, *.download.windowsupdate.com etc., which I believe belongs to Microsoft.
REF: https://www.virustotal.com/gui/ip-address/209.197.3.8/relations
Does Microsoft have a list of IP/ranges which are used for updates and other usage. Is there any other way to identify which IPs belong to Microsoft and whitelist accordingly.
Thanks,
Hemanth Meda
No, there is no authoritative list as Windows Update is fronted by multiple global CDNs that are not Microsoft property or controlled. Additionally, for security purposes, the IPs on the CDNs are regularly rotated.
If you feel there is a genuine security issue from an IP that Microsoft owns, you should contact Microsoft support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 79%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 28.999999999999996%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKW%3C/text%3E%3C/svg%3E)
Cisco umbrella is constantly blocking computers trying to update. This is a pain in the
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 71%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EO%3C/text%3E%3C/svg%3E)
same happening here, it's being allowed on the windows firewall on one server and being blocked on the other, here's some data from Wireshark below. So is this ip address ok or not, why is it not being sent on port 443?
Frame 184908: 336 bytes on wire (2688 bits), 336 bytes captured (2688 bits) on interface \Device\NPF_{A45EE965-68AB-45E2-A638-D295BE7F52F7}, id 0
Section number: 1
Interface id: 0 (\Device\NPF_{A45EE965-68AB-45E2-A638-D295BE7F52F7})
Encapsulation type: Ethernet (1)
Arrival Time: Nov 23, 2023 01:33:06.823244000 GMT Standard Time
UTC Arrival Time: Nov 23, 2023 01:33:06.823244000 UTC
Epoch Arrival Time: 1700703186.823244000
[Time shift for this packet: 0.000000000 seconds]
[Time delta from previous captured frame: 0.000248000 seconds]
[Time delta from previous displayed frame: 0.000248000 seconds]
[Time since reference or first frame: 3725.251857000 seconds]
Frame Number: 184908
Frame Length: 336 bytes (2688 bits)
Capture Length: 336 bytes (2688 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:tcp:http]
[Coloring Rule Name: HTTP]
[Coloring Rule String: http || tcp.port == 80 || http2]
Ethernet II, Src: host1.mydomain.com (00:16:3e:f0:cd:1c), Dst: IETF-VRRP-VRID_01 (00:00:5e:00:01:01)
Destination: IETF-VRRP-VRID_01 (00:00:5e:00:01:01)
Source: host1.mydomain.com (00:16:3e:f0:cd:1c)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: host1.mydomain.com (xxx.xxx.xxx.xxx), Dst: cs11.wpc.v0cdn.net (93.184.221.240)
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
Total Length: 322
Identification: 0x5ccd (23757)
010. .... = Flags: 0x2, Don't fragment
...0 0000 0000 0000 = Fragment Offset: 0
Time to Live: 128
Protocol: TCP (6)
Header Checksum: 0x0000 [validation disabled]
[Header checksum status: Unverified]
Source Address: host1.mydomain.com (xxx.xxx.xxx.xxx)
Destination Address: cs11.wpc.v0cdn.net (93.184.221.240)
Transmission Control Protocol, Src Port: 52765 (52765), Dst Port: http (80), Seq: 1, Ack: 1, Len: 282
Source Port: 52765 (52765)
Destination Port: http (80)
[Stream index: 23]
[Conversation completeness: Complete, WITH_DATA (31)]
[TCP Segment Len: 282]
Sequence Number: 1 (relative sequence number)
Sequence Number (raw): 3747029734
[Next Sequence Number: 283 (relative sequence number)]
Acknowledgment Number: 1 (relative ack number)
Acknowledgment number (raw): 1357579119
0101 .... = Header Length: 20 bytes (5)
Flags: 0x018 (PSH, ACK)
Window: 49183
[Calculated window size: 12590848]
[Window size scaling factor: 256]
Checksum: 0xbb8c [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
[Timestamps]
[SEQ/ACK analysis]
TCP payload (282 bytes)
Hypertext Transfer Protocol
GET /msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?3d6822b3e0d16cd9 HTTP/1.1\r\n
Connection: Keep-Alive\r\n
Accept: */*\r\n
If-Modified-Since: Fri, 02 Jun 2017 17:39:05 GMT\r\n
If-None-Match: "80424021c7dbd21:0"\r\n
User-Agent: Microsoft-CryptoAPI/10.0\r\n
Host: ctldl.windowsupdate.com\r\n
\r\n
[Full request URI: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?3d6822b3e0d16cd9]
[HTTP request 1/1]
[Response in frame: 184910]
by the way, it's coming up as a different ip address on mine:- 93.184.221.240 and it's flagged as malicious on virus total with 3 Security vendors' analysis