Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Malware Analysis
Windows Defender Disappointment
Message
<blockquote data-quote="Andy Ful" data-source="post: 857332" data-attributes="member: 32260"><p>The domain checkappexec.microsoft.com is related to SmartScreen.</p><p>I used the Ping command in CMD for the domains wd-prod-ss-* (checkappexec.microsoft.com resolved for user location) and found IP addresses as follows:</p><p>wd-prod-ss-eu-north-1-fe.northeurope.cloudapp.azure.com [23.102.47.40]</p><p>wd-prod-ss-eu-north-2-fe.northeurope.cloudapp.azure.com [40.85.83.182]</p><p>wd-prod-ss-eu-west-1-fe.westeurope.cloudapp.azure.com [13.80.7.77]</p><p>wd-prod-ss-eu-west-2-fe.westeurope.cloudapp.azure.com [137.117.228.253]</p><p>wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com [40.112.49.67]</p><p>wd-prod-ss-us-east-2-fe.eastus.cloudapp.azure.com [13.68.225.90]</p><p>wd-prod-ss-us-west-1-fe.westus.cloudapp.azure.com [13.88.23.8]</p><p>wd-prod-ss-us-west-2-fe.westus.cloudapp.azure.com [104.40.91.191]</p><p>wd-prod-ss-us-southcentral-1-fe.southcentralus.cloudapp.azure.com [23.98.151.170]</p><p>wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com [70.37.74.6]</p><p>wd-prod-ss-us-northcentral-1-fe.northcentralus.cloudapp.azure.com [65.52.198.70]</p><p>wd-prod-ss-us-northcentral-2-fe.northcentralus.cloudapp.azure.com [157.55.212.205]</p><p>wd-prod-ss-uk-south-1-fe.uksouth.cloudapp.azure.com [51.140.188.242]</p><p>wd-prod-ss-uk-west-1-fe.ukwest.cloudapp.azure.com [51.141.8.249]</p><p>wd-prod-ss-br-south-1-fe.brazilsouth.cloudapp.azure.com [191.232.243.198]</p><p>wd-prod-ss-br-south-2-fe.brazilsouth.cloudapp.azure.com [191.232.245.3]</p><p>wd-prod-ss-as-east-1-fe.eastasia.cloudapp.azure.com [168.63.202.111]</p><p>wd-prod-ss-as-east-2-fe.eastasia.cloudapp.azure.com [168.63.154.101]</p><p>wd-prod-ss-as-southeast-1-fe.southeastasia.cloudapp.azure.com [52.163.89.138]</p><p>wd-prod-ss-as-southeast-2-fe.southeastasia.cloudapp.azure.com [13.67.116.41]</p><p>Wd-prod-ss-au-southeast-1-fe.australiasoutheast.cloudapp.azure.com [52.189.215.221]</p><p></p><p>Next, I ran a few applications without MOTW and used cports tool to see the IP connections:</p><p>01.02.2020 18:28:26 Created Unknown TCP xxx.xxx.xxx.xxx:xxx................104.20.246.88:443</p><p>01.02.2020 18:28:28 Added svchost.exe TCP xxx.xxx.xxx.xxx:xxx................192.168.0.11:55122</p><p>01.02.2020 18:28:56 Added Unknown TCP xxx.xxx.xxx.xxx:xxx................40.74.35.71:443 </p><p></p><p>Next, I ran the same applications with MOTW and used cports tool to see the IP connections:</p><p>01.02.2020 18:30:12 Created Unknown TCP xxx.xxx.xxx.xxx:xxx................151.101.38.133:80</p><p>01.02.2020 18:30:20 Added smartscreen.exe TCP xxx.xxx.xxx.xxx:xxx................<span style="color: rgb(0, 168, 133)"><strong>13.80.7.77</strong></span>:443</p><p>01.02.2020 18:30:22 Created smartscreen.exe TCP xxx.xxx.xxx.xxx:xxx................<span style="color: rgb(0, 168, 133)"><strong>13.80.7.77</strong></span>:443</p><p></p><p>It seems that in my case the checkappexec.microsoft.com domain is not used for files without the MOTW. It is used for files with MOTW (for example <strong><span style="color: rgb(0, 168, 133)">13.80.7.77</span></strong>).</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 857332, member: 32260"] The domain checkappexec.microsoft.com is related to SmartScreen. I used the Ping command in CMD for the domains wd-prod-ss-* (checkappexec.microsoft.com resolved for user location) and found IP addresses as follows: wd-prod-ss-eu-north-1-fe.northeurope.cloudapp.azure.com [23.102.47.40] wd-prod-ss-eu-north-2-fe.northeurope.cloudapp.azure.com [40.85.83.182] wd-prod-ss-eu-west-1-fe.westeurope.cloudapp.azure.com [13.80.7.77] wd-prod-ss-eu-west-2-fe.westeurope.cloudapp.azure.com [137.117.228.253] wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com [40.112.49.67] wd-prod-ss-us-east-2-fe.eastus.cloudapp.azure.com [13.68.225.90] wd-prod-ss-us-west-1-fe.westus.cloudapp.azure.com [13.88.23.8] wd-prod-ss-us-west-2-fe.westus.cloudapp.azure.com [104.40.91.191] wd-prod-ss-us-southcentral-1-fe.southcentralus.cloudapp.azure.com [23.98.151.170] wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com [70.37.74.6] wd-prod-ss-us-northcentral-1-fe.northcentralus.cloudapp.azure.com [65.52.198.70] wd-prod-ss-us-northcentral-2-fe.northcentralus.cloudapp.azure.com [157.55.212.205] wd-prod-ss-uk-south-1-fe.uksouth.cloudapp.azure.com [51.140.188.242] wd-prod-ss-uk-west-1-fe.ukwest.cloudapp.azure.com [51.141.8.249] wd-prod-ss-br-south-1-fe.brazilsouth.cloudapp.azure.com [191.232.243.198] wd-prod-ss-br-south-2-fe.brazilsouth.cloudapp.azure.com [191.232.245.3] wd-prod-ss-as-east-1-fe.eastasia.cloudapp.azure.com [168.63.202.111] wd-prod-ss-as-east-2-fe.eastasia.cloudapp.azure.com [168.63.154.101] wd-prod-ss-as-southeast-1-fe.southeastasia.cloudapp.azure.com [52.163.89.138] wd-prod-ss-as-southeast-2-fe.southeastasia.cloudapp.azure.com [13.67.116.41] Wd-prod-ss-au-southeast-1-fe.australiasoutheast.cloudapp.azure.com [52.189.215.221] Next, I ran a few applications without MOTW and used cports tool to see the IP connections: 01.02.2020 18:28:26 Created Unknown TCP xxx.xxx.xxx.xxx:xxx................104.20.246.88:443 01.02.2020 18:28:28 Added svchost.exe TCP xxx.xxx.xxx.xxx:xxx................192.168.0.11:55122 01.02.2020 18:28:56 Added Unknown TCP xxx.xxx.xxx.xxx:xxx................40.74.35.71:443 Next, I ran the same applications with MOTW and used cports tool to see the IP connections: 01.02.2020 18:30:12 Created Unknown TCP xxx.xxx.xxx.xxx:xxx................151.101.38.133:80 01.02.2020 18:30:20 Added smartscreen.exe TCP xxx.xxx.xxx.xxx:xxx................[COLOR=rgb(0, 168, 133)][B]13.80.7.77[/B][/COLOR]:443 01.02.2020 18:30:22 Created smartscreen.exe TCP xxx.xxx.xxx.xxx:xxx................[COLOR=rgb(0, 168, 133)][B]13.80.7.77[/B][/COLOR]:443 It seems that in my case the checkappexec.microsoft.com domain is not used for files without the MOTW. It is used for files with MOTW (for example [B][COLOR=rgb(0, 168, 133)]13.80.7.77[/COLOR][/B]). [/QUOTE]
Insert quotes…
Verification
Post reply
Top