Windows Defender Disappointment

Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
SeriousHoax said:
@Andy Ful But I've seen smartscreen.exe triggering even for files without MOTW. I use IDM and 7zip so MOTW is not present for anything I download but smartscreen does make dns queries after executing an exe files. How effective is this?
Click to expand...
Do you see the SmartScreen alert?
What application do you use to see DNS queries?
Anyway, If the file has no MOTW then there is no information which could be included in the MOTW, like the below:
Code: 
ZoneId=3
ReferrerUrl=https://tezfiles.com/file/f364418294b28/0199790809.epub
HostUrl=https://free-132.tezfiles.com/9f8b682e9270d/6882139ecc038/422914dfb079f?temp_url_sig=c292653f721bb1ae24fc0ebf6d85a84f24ba311fd7e2c6130cf5958f64cbca24aed8d3d578d1e39728024c1b1f700b99b80267283bfb77af90c4e31f8e9a497e&temp_url_expires=1579797395&id=3374a60eeeec4&ip=any&node_id=132&countable=1&project=moneyplatform&rate_limit=51200&uf=f364418294b28&tags=tz%2Cwebapi%2Cdownload&name=0199790809.epub
 
Last edited:
  • Like
Reactions: Mercenary, Protomartyr, oldschool and 4 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
SeriousHoax said:
Never any alert but smartscreen.exe does make outbound connections. I use I Adguard Home and it shows all dns queries.
Click to expand...
Strange. I disabled all outbound connections for c:\Windows\system32\smartscreen.exe in Windows Firewall.
When I run a file with MOTW, then I can see the alert that SmartScreen is not available, and there is a blocked outbound connection:
Code: 
Event[0]:
Local Time:  2020/01/31 12:29:53
ProcessId:  7824
Application:  C:\windows\system32\smartscreen.exe
Direction:  Outbound
SourceAddress:  xxx.xxx.xxx.xxx
SourcePort:  xxx
DestAddress:  40.85.83.182
DestPort:  xxx
Protocol:  6
FilterRTID:  68197
LayerName:  %%14611
LayerRTID:  48

If the file is run without MOTW then there is no SmartScreen alert and no blocked entry for smartscreen.exe .

I will try Addguard Home to see what is happening.
 
  • Like
  • Thanks
Reactions: Burrito, Mercenary, roger_m and 5 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
Installed Adguard Home from : AdGuard Home | Overview | AdGuard
I tried to run files from disk with MOTW and without MOTW. No entries in the Adguard log. I can see only connections made by Edge. I also tried to use scripts that downloaded some files from the Internet. No entries in the Adguard log.
Does Adguard need a special configuration or maybe you have another Addguard application?
adguardhome.png
 
  • Like
  • +Reputation
  • Applause
Reactions: simmerskool, Burrito, Mercenary and 7 others
SeriousHoax

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,862
Andy Ful said:
Installed Adguard Home from : AdGuard Home | Overview | AdGuard
I tried to run files from disk with MOTW and without MOTW. No entries in the Adguard log. I can see only connections made by Edge. I also tried to use scripts that downloaded some files from the Internet. No entries in the Adguard log.
Does Adguard need a special configuration or maybe you have another Addguard application?
View attachment 233074
Click to expand...
Looks like it's the log of Adguard browser extension. Adguard Home is different. Here: AdguardTeam/AdGuardHome
 
  • Like
  • Applause
Reactions: Burrito, Mercenary, roger_m and 7 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
Installed the Adguard from AdguardTeam/AdGuardHome .
At time 17:46 I downloaded an old version of H_C from GitHub (present in the log) via native Edge. Next, I ran it and bypassed the SmartScreen alert. Finally, I have run it again (no MOTW) and looked at the Adguard log:

adguardhome.png


As can be seen, there are no DNS queries related to SmartScreen in the log.
docs.microsoft.com

Windows 10, version 1903, connection endpoints for non-Enterprise editions - Windows Privacy

Explains what Windows 10 endpoints are used in non-Enterprise editions. Specific to Windows 10, version 1903.
docs.microsoft.com
Could you send here an example of your log?
 
Last edited:
  • Like
  • +Reputation
  • Thanks
Reactions: Nevi, Burrito, Mercenary and 6 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
SeriousHoax said:
Here's one I think. smartscreen.exe made connection to this domain. Or is it different?

Btw, look at the time it was captured on, 04:04:04 😃
Click to expand...
The domain checkappexec.microsoft.com is related to SmartScreen.
I used the Ping command in CMD for the domains wd-prod-ss-* (checkappexec.microsoft.com resolved for user location) and found IP addresses as follows:
wd-prod-ss-eu-north-1-fe.northeurope.cloudapp.azure.com [23.102.47.40]
wd-prod-ss-eu-north-2-fe.northeurope.cloudapp.azure.com [40.85.83.182]
wd-prod-ss-eu-west-1-fe.westeurope.cloudapp.azure.com [13.80.7.77]
wd-prod-ss-eu-west-2-fe.westeurope.cloudapp.azure.com [137.117.228.253]
wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com [40.112.49.67]
wd-prod-ss-us-east-2-fe.eastus.cloudapp.azure.com [13.68.225.90]
wd-prod-ss-us-west-1-fe.westus.cloudapp.azure.com [13.88.23.8]
wd-prod-ss-us-west-2-fe.westus.cloudapp.azure.com [104.40.91.191]
wd-prod-ss-us-southcentral-1-fe.southcentralus.cloudapp.azure.com [23.98.151.170]
wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com [70.37.74.6]
wd-prod-ss-us-northcentral-1-fe.northcentralus.cloudapp.azure.com [65.52.198.70]
wd-prod-ss-us-northcentral-2-fe.northcentralus.cloudapp.azure.com [157.55.212.205]
wd-prod-ss-uk-south-1-fe.uksouth.cloudapp.azure.com [51.140.188.242]
wd-prod-ss-uk-west-1-fe.ukwest.cloudapp.azure.com [51.141.8.249]
wd-prod-ss-br-south-1-fe.brazilsouth.cloudapp.azure.com [191.232.243.198]
wd-prod-ss-br-south-2-fe.brazilsouth.cloudapp.azure.com [191.232.245.3]
wd-prod-ss-as-east-1-fe.eastasia.cloudapp.azure.com [168.63.202.111]
wd-prod-ss-as-east-2-fe.eastasia.cloudapp.azure.com [168.63.154.101]
wd-prod-ss-as-southeast-1-fe.southeastasia.cloudapp.azure.com [52.163.89.138]
wd-prod-ss-as-southeast-2-fe.southeastasia.cloudapp.azure.com [13.67.116.41]
Wd-prod-ss-au-southeast-1-fe.australiasoutheast.cloudapp.azure.com [52.189.215.221]

Next, I ran a few applications without MOTW and used cports tool to see the IP connections:
01.02.2020 18:28:26 Created Unknown TCP xxx.xxx.xxx.xxx:xxx................104.20.246.88:443
01.02.2020 18:28:28 Added svchost.exe TCP xxx.xxx.xxx.xxx:xxx................192.168.0.11:55122
01.02.2020 18:28:56 Added Unknown TCP xxx.xxx.xxx.xxx:xxx................40.74.35.71:443

Next, I ran the same applications with MOTW and used cports tool to see the IP connections:
01.02.2020 18:30:12 Created Unknown TCP xxx.xxx.xxx.xxx:xxx................151.101.38.133:80
01.02.2020 18:30:20 Added smartscreen.exe TCP xxx.xxx.xxx.xxx:xxx................13.80.7.77:443
01.02.2020 18:30:22 Created smartscreen.exe TCP xxx.xxx.xxx.xxx:xxx................13.80.7.77:443

It seems that in my case the checkappexec.microsoft.com domain is not used for files without the MOTW. It is used for files with MOTW (for example 13.80.7.77).
 
Last edited:
  • Like
Reactions: simmerskool, harlan4096, Protomartyr and 3 others
SeriousHoax

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,862
Interesting and somewhat confusing as well :unsure:
Andy Ful said:
wd-prod-ss-as-east-1-fe.eastasia.cloudapp.azure.com [168.63.202.111]
Click to expand...
So, I'm getting connected to this domain even without MOTW. Just now ran Autoruns Portable and a connection to this domain was made but it doesn't happen always. Tried some few other applications and nothing was there in dns queries. Random occurrence.
 
  • Like
Reactions: Andy Ful, Protomartyr, [correlate] and 1 other person
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
SeriousHoax said:
Interesting and somewhat confusing as well :unsure:

So, I'm getting connected to this domain even without MOTW. Just now ran Autoruns Portable and a connection to this domain was made but it doesn't happen always. Tried some few other applications and nothing was there in dns queries. Random occurrence.
Click to expand...
It is probable that it is not SmartScreen, but Cloud delivered protection. If the application seems suspicious to the local behavior monitoring, then it is checked by the cloud backend. But, I am not sure, maybe it depends on the privacy settings.
 
  • Like
Reactions: Protomartyr, harlan4096, [correlate] and 1 other person
SeriousHoax

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,862
Andy Ful said:
It is probable that it is not SmartScreen, but Cloud delivered protection. If the application seems suspicious to the local behavior monitoring, then it is checked by the cloud backend. But, I am not sure, maybe it depends on the privacy settings.
Click to expand...
Maybe but this is the domain "wdcp.microsoft.com" which is used for cloud protection as you know this also. Anyway, I've gone off-topic.
 
Last edited:
  • Like
Reactions: harlan4096, Protomartyr, Andy Ful and 1 other person
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
SeriousHoax said:
Maybe but this is the domain "wdcp.microsoft.com" which is used for cloud protection as you know this also. Anyway, I've gone off-topic.
Click to expand...
Yes, I confirmed it there:
docs.microsoft.com

Configure and validate Microsoft Defender Antivirus network connections - Microsoft Defender for Endpoint

Configure and test your connection to the Microsoft Defender Antivirus cloud protection service.
docs.microsoft.com
Domains used by Windows Defender Antivirus to provide cloud-delivered protection:
*.wdcp.microsoft.com
*.wdcpalt.microsoft.com
*.wd.microsoft.com
 
  • Like
  • +Reputation
Reactions: simmerskool, SeriousHoax, Gandalf_The_Grey and 4 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
SmartScreen Domains:
Windows 10 Home 1903
*.smartscreen.microsoft.com*

Windows 10 Pro 1903
nav.smartscreen.microsoft.com

docs.microsoft.com

Windows 10, version 1903, connection endpoints for non-Enterprise editions - Windows Privacy

Explains what Windows 10 endpoints are used in non-Enterprise editions. Specific to Windows 10, version 1903.
docs.microsoft.com

But I found many alternative names for smartscreen.microsoft.com:
api.smartscreen.microsoft.com
apprep.smartscreen.microsoft.com
ars.smartscreen.microsoft.com
beta.apprep.smartscreen.microsoft.com
beta.t.urs.microsoft.com
beta.urs.microsoft.com
beta.w.apprep.smartscreen.microsoft.com
bf.smartscreen.microsoft.com
c.urs.microsoft.com
checkappexec.microsoft.com
cp.smartscreen.microsoft.com
d.urs.microsoft.com
data.checkappexec.microsoft.com
data.nav.smartscreen.microsoft.com
data.nf.smartscreen.microsoft.com
i.apprep.smartscreen.microsoft.com
i.w.apprep.smartscreen.microsoft.com
nav.smartscreen.microsoft.com
nf.smartscreen.microsoft.com
p.urs.microsoft.com
pf.checkappexec.microsoft.com
ping.checkappexec.microsoft.com
ping.nav.smartscreen.microsoft.com
ping.nf.smartscreen.microsoft.com
ping.smartscreen.microsoft.com
sl.smartscreen.microsoft.com
smartscreen.microsoft.com
t.bf.smartscreen.microsoft.com
t.checkappexec.microsoft.com
t.nav.smartscreen.microsoft.com
t.nf.smartscreen.microsoft.com
t.urs.microsoft.com
telemetry.urs.microsoft.com
urs.microsoft.com
urs.smartscreen.microsoft.com
w.apprep.smartscreen.microsoft.com
x.urs.microsoft.com
censys.io

Censys

Censys helps organizations, individuals, and researchers find and monitor every server on the Internet to reduce exposure and improve security.
censys.io censys.io

All these domains (except a few that do not work) resolves to wd-prod-ss-*.
In my case, it is a server located in Europe, but for others, it will be one of the servers in other locations (already posted in Discuss - Windows Defender Disappointment).
 
Last edited:
  • Like
  • +Reputation
Reactions: SeriousHoax, Gandalf_The_Grey, harlan4096 and 4 others

Similar threads

Shadowra
    • Like
    • +Reputation
    • Thanks
App Review Microsoft Defender Antivirus (Default Settings + DefenderUI Recommanded Settings)
Replies
34
Views
3,257
Video Reviews - Security and Privacy
lokamoka820
lokamoka820
Shadowra
    • Like
    • +Reputation
    • Thanks
App Review Microsoft Defender Antivirus + Windows 11 Smart App Control (SAC)
Replies
44
Views
3,309
Video Reviews - Security and Privacy
tofargone
tofargone
Lymphocyte
    • Like
    • Wow
Security News Microsoft Defender adds detection of unsecure Wi-Fi networks
Replies
0
Views
1,518
Security News
Lymphocyte
Lymphocyte

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top