Andy Ful

Level 62
Verified
Trusted
Content Creator
@Andy Ful But I've seen smartscreen.exe triggering even for files without MOTW. I use IDM and 7zip so MOTW is not present for anything I download but smartscreen does make dns queries after executing an exe files. How effective is this?
Do you see the SmartScreen alert?
What application do you use to see DNS queries?
Anyway, If the file has no MOTW then there is no information which could be included in the MOTW, like the below:
Code:
ZoneId=3
ReferrerUrl=https://tezfiles.com/file/f364418294b28/0199790809.epub
HostUrl=https://free-132.tezfiles.com/9f8b682e9270d/6882139ecc038/422914dfb079f?temp_url_sig=c292653f721bb1ae24fc0ebf6d85a84f24ba311fd7e2c6130cf5958f64cbca24aed8d3d578d1e39728024c1b1f700b99b80267283bfb77af90c4e31f8e9a497e&temp_url_expires=1579797395&id=3374a60eeeec4&ip=any&node_id=132&countable=1&project=moneyplatform&rate_limit=51200&uf=f364418294b28&tags=tz%2Cwebapi%2Cdownload&name=0199790809.epub
 
Last edited:

Andy Ful

Level 62
Verified
Trusted
Content Creator
Never any alert but smartscreen.exe does make outbound connections. I use I Adguard Home and it shows all dns queries.
Strange. I disabled all outbound connections for c:\Windows\system32\smartscreen.exe in Windows Firewall.
When I run a file with MOTW, then I can see the alert that SmartScreen is not available, and there is a blocked outbound connection:
Code:
Event[0]:
Local Time:  2020/01/31 12:29:53
ProcessId:  7824
Application:  C:\windows\system32\smartscreen.exe
Direction:  Outbound
SourceAddress:  xxx.xxx.xxx.xxx
SourcePort:  xxx
DestAddress:  40.85.83.182
DestPort:  xxx
Protocol:  6
FilterRTID:  68197
LayerName:  %%14611
LayerRTID:  48
If the file is run without MOTW then there is no SmartScreen alert and no blocked entry for smartscreen.exe .

I will try Addguard Home to see what is happening.
 

Andy Ful

Level 62
Verified
Trusted
Content Creator
Installed Adguard Home from : AdGuard Home | Overview | AdGuard
I tried to run files from disk with MOTW and without MOTW. No entries in the Adguard log. I can see only connections made by Edge. I also tried to use scripts that downloaded some files from the Internet. No entries in the Adguard log.
Does Adguard need a special configuration or maybe you have another Addguard application?
adguardhome.png
 

SeriousHoax

Level 29
Verified
Malware Tester
Installed Adguard Home from : AdGuard Home | Overview | AdGuard
I tried to run files from disk with MOTW and without MOTW. No entries in the Adguard log. I can see only connections made by Edge. I also tried to use scripts that downloaded some files from the Internet. No entries in the Adguard log.
Does Adguard need a special configuration or maybe you have another Addguard application?
View attachment 233074
Looks like it's the log of Adguard browser extension. Adguard Home is different. Here: AdguardTeam/AdGuardHome
 

Andy Ful

Level 62
Verified
Trusted
Content Creator
Installed the Adguard from AdguardTeam/AdGuardHome .
At time 17:46 I downloaded an old version of H_C from GitHub (present in the log) via native Edge. Next, I ran it and bypassed the SmartScreen alert. Finally, I have run it again (no MOTW) and looked at the Adguard log:

adguardhome.png


As can be seen, there are no DNS queries related to SmartScreen in the log.
Could you send here an example of your log?
 
Last edited:

Andy Ful

Level 62
Verified
Trusted
Content Creator
Here's one I think. smartscreen.exe made connection to this domain. Or is it different?

Btw, look at the time it was captured on, 04:04:04 😃
The domain checkappexec.microsoft.com is related to SmartScreen.
I used the Ping command in CMD for the domains wd-prod-ss-* (checkappexec.microsoft.com resolved for user location) and found IP addresses as follows:
wd-prod-ss-eu-north-1-fe.northeurope.cloudapp.azure.com [23.102.47.40]
wd-prod-ss-eu-north-2-fe.northeurope.cloudapp.azure.com [40.85.83.182]
wd-prod-ss-eu-west-1-fe.westeurope.cloudapp.azure.com [13.80.7.77]
wd-prod-ss-eu-west-2-fe.westeurope.cloudapp.azure.com [137.117.228.253]
wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com [40.112.49.67]
wd-prod-ss-us-east-2-fe.eastus.cloudapp.azure.com [13.68.225.90]
wd-prod-ss-us-west-1-fe.westus.cloudapp.azure.com [13.88.23.8]
wd-prod-ss-us-west-2-fe.westus.cloudapp.azure.com [104.40.91.191]
wd-prod-ss-us-southcentral-1-fe.southcentralus.cloudapp.azure.com [23.98.151.170]
wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com [70.37.74.6]
wd-prod-ss-us-northcentral-1-fe.northcentralus.cloudapp.azure.com [65.52.198.70]
wd-prod-ss-us-northcentral-2-fe.northcentralus.cloudapp.azure.com [157.55.212.205]
wd-prod-ss-uk-south-1-fe.uksouth.cloudapp.azure.com [51.140.188.242]
wd-prod-ss-uk-west-1-fe.ukwest.cloudapp.azure.com [51.141.8.249]
wd-prod-ss-br-south-1-fe.brazilsouth.cloudapp.azure.com [191.232.243.198]
wd-prod-ss-br-south-2-fe.brazilsouth.cloudapp.azure.com [191.232.245.3]
wd-prod-ss-as-east-1-fe.eastasia.cloudapp.azure.com [168.63.202.111]
wd-prod-ss-as-east-2-fe.eastasia.cloudapp.azure.com [168.63.154.101]
wd-prod-ss-as-southeast-1-fe.southeastasia.cloudapp.azure.com [52.163.89.138]
wd-prod-ss-as-southeast-2-fe.southeastasia.cloudapp.azure.com [13.67.116.41]
Wd-prod-ss-au-southeast-1-fe.australiasoutheast.cloudapp.azure.com [52.189.215.221]

Next, I ran a few applications without MOTW and used cports tool to see the IP connections:
01.02.2020 18:28:26 Created Unknown TCP xxx.xxx.xxx.xxx:xxx................104.20.246.88:443
01.02.2020 18:28:28 Added svchost.exe TCP xxx.xxx.xxx.xxx:xxx................192.168.0.11:55122
01.02.2020 18:28:56 Added Unknown TCP xxx.xxx.xxx.xxx:xxx................40.74.35.71:443

Next, I ran the same applications with MOTW and used cports tool to see the IP connections:
01.02.2020 18:30:12 Created Unknown TCP xxx.xxx.xxx.xxx:xxx................151.101.38.133:80
01.02.2020 18:30:20 Added smartscreen.exe TCP xxx.xxx.xxx.xxx:xxx................13.80.7.77:443
01.02.2020 18:30:22 Created smartscreen.exe TCP xxx.xxx.xxx.xxx:xxx................13.80.7.77:443

It seems that in my case the checkappexec.microsoft.com domain is not used for files without the MOTW. It is used for files with MOTW (for example 13.80.7.77).
 
Last edited:

SeriousHoax

Level 29
Verified
Malware Tester
Interesting and somewhat confusing as well :unsure:
wd-prod-ss-as-east-1-fe.eastasia.cloudapp.azure.com [168.63.202.111]
So, I'm getting connected to this domain even without MOTW. Just now ran Autoruns Portable and a connection to this domain was made but it doesn't happen always. Tried some few other applications and nothing was there in dns queries. Random occurrence.
 

Andy Ful

Level 62
Verified
Trusted
Content Creator
Interesting and somewhat confusing as well :unsure:

So, I'm getting connected to this domain even without MOTW. Just now ran Autoruns Portable and a connection to this domain was made but it doesn't happen always. Tried some few other applications and nothing was there in dns queries. Random occurrence.
It is probable that it is not SmartScreen, but Cloud delivered protection. If the application seems suspicious to the local behavior monitoring, then it is checked by the cloud backend. But, I am not sure, maybe it depends on the privacy settings.
 

SeriousHoax

Level 29
Verified
Malware Tester
It is probable that it is not SmartScreen, but Cloud delivered protection. If the application seems suspicious to the local behavior monitoring, then it is checked by the cloud backend. But, I am not sure, maybe it depends on the privacy settings.
Maybe but this is the domain "wdcp.microsoft.com" which is used for cloud protection as you know this also. Anyway, I've gone off-topic.
 
Last edited:

Andy Ful

Level 62
Verified
Trusted
Content Creator
Maybe but this is the domain "wdcp.microsoft.com" which is used for cloud protection as you know this also. Anyway, I've gone off-topic.
Yes, I confirmed it there:
Domains used by Windows Defender Antivirus to provide cloud-delivered protection:
*.wdcp.microsoft.com
*.wdcpalt.microsoft.com
*.wd.microsoft.com
 

Andy Ful

Level 62
Verified
Trusted
Content Creator
SmartScreen Domains:
Windows 10 Home 1903
*.smartscreen.microsoft.com*

Windows 10 Pro 1903
nav.smartscreen.microsoft.com


But I found many alternative names for smartscreen.microsoft.com:
api.smartscreen.microsoft.com
apprep.smartscreen.microsoft.com
ars.smartscreen.microsoft.com
beta.apprep.smartscreen.microsoft.com
beta.t.urs.microsoft.com
beta.urs.microsoft.com
beta.w.apprep.smartscreen.microsoft.com
bf.smartscreen.microsoft.com
c.urs.microsoft.com
checkappexec.microsoft.com
cp.smartscreen.microsoft.com
d.urs.microsoft.com
data.checkappexec.microsoft.com
data.nav.smartscreen.microsoft.com
data.nf.smartscreen.microsoft.com
i.apprep.smartscreen.microsoft.com
i.w.apprep.smartscreen.microsoft.com
nav.smartscreen.microsoft.com
nf.smartscreen.microsoft.com
p.urs.microsoft.com
pf.checkappexec.microsoft.com
ping.checkappexec.microsoft.com
ping.nav.smartscreen.microsoft.com
ping.nf.smartscreen.microsoft.com
ping.smartscreen.microsoft.com
sl.smartscreen.microsoft.com
smartscreen.microsoft.com
t.bf.smartscreen.microsoft.com
t.checkappexec.microsoft.com
t.nav.smartscreen.microsoft.com
t.nf.smartscreen.microsoft.com
t.urs.microsoft.com
telemetry.urs.microsoft.com
urs.microsoft.com
urs.smartscreen.microsoft.com
w.apprep.smartscreen.microsoft.com
x.urs.microsoft.com

All these domains (except a few that do not work) resolves to wd-prod-ss-*.
In my case, it is a server located in Europe, but for others, it will be one of the servers in other locations (already posted in Discuss - Windows Defender Disappointment).
 
Last edited:
Top