Microsoft SmartScreen filter triggers mysterious downloading of private files from web server

I uploaded some private files in a directory on our web server yesterday (no password protection, but an obscure path), and I discovered in our IIS logs that somebody was downloading them from our server a few minutes later.  The directory does not have browsing enabled in IIS7, and the filenames were too long for somebody to have just stumbled upon them.  Furthermore, the "GET" command issued on the file was the only connection from the mystery IP address ( recorded in the logs.  No prior connects had been made from that IP to our server.  So whoever it was knew the exact URL before they downloaded the file.

After some investigation, I determined that this only happens after I download the file from our web server using IE (not FireFox), and Microsoft SmartScreen filter connects to a SmartScreen server ( to look up the URL I am downloading from.  If I disable SmartScreen before I download my file, the mystery download never happens.

So clearly this "mystery" server at is learning of the URL from SmartScreen.  What I'm not sure of is whether this is normal behavior for Microsoft's SmartScreen servers (it seems a bit invasive to me!), or whether this is some hijack going on that I can't find.

I have some machines that don't seem to trigger this mystery download even though they have SmartScreen enabled.  But I have two machines (Windows 7 with IE8 and Windows Server 2003 with IE8) that do it pretty consistently.  The two machines that do it are completely unrelated machines on different networks at different companies, so I have no reason to suspect a common infection.

My PC scans clean with Spybot, AVG, Avast, and Malwarebytes.

I found some references to in the Internet.  One forum thread talks about it being a Microsoft SmartScreen (Phishing) filter server address.  A Microsoft document about Trojan:Win32/Vundo.BH and another website about W32.Vundo/MS Juan Trojan Virus name it as a rogue server that is used to distribute ads or commands to this trojan!  How odd that Microsoft would name one of their own IP addresses as a server that serves up ads to malware!

The mystery connection usually comes from an IP in 208.50.101.x (Global Crossing), but sometimes comes from 64.124.203.x (AboveNet).  

Is anyone familiar with this behavior of SmartScreen?  Does this sound like my PC is infected, or Microsoft is just being a little aggressive in checking up on my browsing?  

Some additional notes:

I found a discussion between a few other people seeing the same behavior at (I removed the full URL for the thread to avoid spammers getting a hold of it, but you can search for "scraped" on that website to find the discussion).

The mystery connection always converts the url to all-lowercase.  Our web server is IIS so this doesn't prevent them from downloading the file.

A packet sniffer on the web server shows that the mystery connection is downloading the whole file, not just checking to see if the GET command succeeds.

They only download each file once, even if I download it again later.  But if I rename the file and download it again with the new name, they connect a few minutes later and download the new file.

Any suggestions?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

It would be nice to see the logs you are refering to, are you sure it isnt the web server, moving the files to the appropriate directory?

check out this whois entry for your mystery ip and see if anything there helps you out
trusnockAuthor Commented:
Here is a sample from the logs.  I downloaded the files "", "", and "" from the web server to my PC.  A few minutes later, these Global Crossing IP addresses (, downloaded two of the three files that I had downloaded previously.

I've masked my web server and office IP addresses in these logs, but I left the mystery IPs intact...

2010-04-10 02:24:29 {WEB_SERVER_IP} GET /logs/ - 80 - {MY_OFFICE_IP} Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.2;+.NET+CLR+1.1.4322) 200 0 0 6364
2010-04-10 02:26:51 {WEB_SERVER_IP} GET /logs/ - 80 - {MY_OFFICE_IP} Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.2;+.NET+CLR+1.1.4322) 200 0 0 6708
2010-04-10 02:27:03 {WEB_SERVER_IP} GET /logs/ - 80 - {MY_OFFICE_IP} Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.2;+.NET+CLR+1.1.4322) 200 0 0 5725
2010-04-10 02:30:11 {WEB_SERVER_IP} GET /logs/ - 80 - Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1) 200 0 0 8751
2010-04-10 02:32:25 {WEB_SERVER_IP} GET /logs/ - 80 - Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1) 200 0 0 4539

I'm not sure what I said that led you to believe this might be the server moving files around.  As I mentioned above, I used a packet sniffer on our web server and saw the Global Crossing IP address connecting to the server and downloading the file.

Thanks for your help and input,
-Tom R.
please look through this information about that IP address, does that address look familiar to you, that is the ip address info, for the ip that is downloading files from you, are you certain your web server, not sure if it is inhouse, sounds like it is somewhere else, are you certain they dont backup everything for you?

IP Information for

IP Location:       United States       Global Crossing
IP Address:               
OrgName:    Global Crossing
OrgID:      GBLX
Address:    14605 South 50th Street
City:       Phoenix
StateProv:  AZ
PostalCode: 85044-6471
Country:    US

ReferralServer: rwhois://

NetRange: -
NetName:    GBLX-6C
NetHandle:  NET-208-48-224-0-1
Parent:     NET-208-0-0-0-0
NetType:    Direct Allocation
RegDate:    1999-07-29
Updated:    2009-06-25

RTechHandle: IA12-ORG-ARIN
RTechPhone:  +1-800-404-7714

OrgAbuseHandle: GBLXA-ARIN
OrgAbuseName:   GBLX-Abuse
OrgAbusePhone:  +1-800-404-7714

OrgNOCPhone:  +1-800-404-7714

OrgTechHandle: IA12-ORG-ARIN
OrgTechPhone:  +1-800-404-7714

== Additional Information From rwhois:// ==

The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

trusnockAuthor Commented:
I'm positive.  I'm intimately familiar with our server.  I've already looked at the whois for all of the IP addresses in question, and there is no reason they should be downloading unpublished files from our server.  I've already established that this does not happen when I disable Microsoft SmartScreen or when I use a non-IE browser, so I am quite certain this has something to do with SmartScreen, and not some backup service that I'm not aware of.
trusnockAuthor Commented:
I contacted Microsoft's Policy and Risk Manager for Windows Live Safety Platform, and he acknowledged that these "mystery" IPs are part of the Microsoft SmartScreen Filter system.  The SmartScreen feature in IE sends the URL to Microsoft, and Microsoft's servers queue the URL for evaluation.  This often involves their servers accessing the URL and downloading the file, then scanning it for dangerous content.

It's a little unsettling, and some people might have a problem with it, but it makes sense that their servers would need to learn about the URL and sample it to determine if it should be filtered for future visitors.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
trusnockAuthor Commented:
I have now posted the solution, which I found myself.  I think this question would be helpful to others in the future, so I don't think it should be deleted.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Browsers

From novice to tech pro — start learning today.