ATP Alerts every 4 - 8 mins.

Looks to me like your DC is attempting to contact difference sources attempting to run some VBS script via Microsoft IE or Edge.  I would check your DC has the latest security updates and maybe temporary disabled IE or Edge.

Good Luck

Hi there,

we're facing the same problem since yesterday.
Any help would be appreciated.

Kind regards

Same here... but with a SOPHOS XG

Source is "map2.hwcdn.net", look here: https://docs.microsoft.com/de-de/windows/privacy/windows-endpoints-1709-non-enterprise-editions

Maybe false-positive?

Best regards

Michael

Hi,

Same issue here since yesterday around 22:00. I think it is related to the KB4556799 windows update of yesterdays Microsofts PatchTuesday. The moment I try to search for updates it is getting blocked. Also all the IP's it tries to get it from are Content delivery network providers (akamai, Highwindsgroup, Edgecast, centurylink etc) which makes sense with windows updates.

I think this is a false positive.

Kind Regards

(edit typos)

Follow up to my original post.  My bad - it was not a domain controller, it was an internal web server that was being called out by IPS.  After logging into the webserver and doing a netstat for all activity on port 80 I saw that doSvc (Windows Delivery Optimization service ) was the culprit.  I then looked at Windows update and it was stuck downloading 2020-05 Cumulative Update for Windows Server 2019.  So that means either the CDN's have been compromised and the content is infected or its a false positive with the snort rule.  I have since then disabled the Delivery Optimization service.

Seeing all the other similar posts my money is on a bad snort rule.

Dave.

I've been getting these too from our Windows computers. It didn't really stop after turning off Delivery Optimization (maybe it was stlll trying to use it), but I downloaded the update manually (from MS) and applied it, and haven't had it since from that computer.

Manual install KB4556799 solved the Problem.

Download KB4556799:

https://www.catalog.update.microsoft.com/Search.aspx?q=KB4556799

Same problem!!!

Log:

2020:05:20-01:20:42 texa-it-fw-1 snort[23635]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="BROWSER-IE Microsoft Edge App-v vbs command attempt" group="110" srcip="8.241.83.254" dstip="172.16.x.y" proto="6" srcport="80" dstport="41865" sid="48053" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"

I'm using System Center Configuration Manager and WSUS component trying to download 2 patch with the same error.

The URLs blocked are:

http://download.windowsupdate.com/c/msdownload/update/software/secu/2020/05/windows10.0-kb4551853-x64_9c1e1ab28eddcf0c668b05443f2085b0a4226be6.cab

http://download.windowsupdate.com/d/msdownload/update/software/secu/2020/05/windows10.0-kb4556799-x64_0d13c92e38b7c73b3f30ad79dfaf67318ecfd6fc.cab

Using http://www.catalog.update.microsoft.com/ I can download and import both patchs into WSUS.

Regards

Marco