asked on
Trojan Blocked on My firewall help
Hi I have noticed this on my firewall. I have checked IP and it belongs Azure Microsoft what is going here?
![trojan---Copy.JPG]()
SecurityNetwork SecurityWindows OS
Last Comment
Kimputer
13.107.4.50 is a Microsoft site (whois lookup) and the local computer may simply be looking for Microsoft.
Have you scanned this machine for malware? Scan also with Malwarebytes.
Have you scanned this machine for malware? Scan also with Malwarebytes.
ASKER
So it could be false positive ?
as on this time I was doing the windows updates on this machine
I'm running malwerbytes now
as on this time I was doing the windows updates on this machine
I'm running malwerbytes now
Yes, it could be a false positive.
While it's unfortunate this MS IP nr is (or apparently WAS) used as a Windows Update server, there are still signs that something is amiss. According to VirusTotal, quite some malware from the past day have been malware that tries to communicate with this IP nr (I assume someone probably hacked it, to redistribute malware or to use it as a Command & Control center. Could even be a typo on the hackers part).
Therefore, the assumption that you in fact have malware on this server/PC on that local IP nr is quite easy to make. The false positive assumption is sadly because this IP nr belongs to MS, if wouldn't even come up if it was an unknown Russian IP.
https://www.virustotal.com/en/ip-address/13.107.4.50/information/ (this is the part I'm talking about: Latest detected files that communicate with this IP address
Latest files submitted to VirusTotal that are detected by one or more antivirus solutions and communicate with the IP address provided when executed in a sandboxed environment.)
Therefore, the assumption that you in fact have malware on this server/PC on that local IP nr is quite easy to make. The false positive assumption is sadly because this IP nr belongs to MS, if wouldn't even come up if it was an unknown Russian IP.
https://www.virustotal.com/en/ip-address/13.107.4.50/information/ (this is the part I'm talking about: Latest detected files that communicate with this IP address
Latest files submitted to VirusTotal that are detected by one or more antivirus solutions and communicate with the IP address provided when executed in a sandboxed environment.)
ASKER
Kimputer
"Therefore, the assumption that you in fact have malware on this server/PC on that local IP nr is quite easy to make. The false positive assumption is sadly because this IP nr belongs to MS, if wouldn't even come up if it was an unknown Russian IP."
Sorry but I don't get it, please could you explain this for me more clearly please
"Therefore, the assumption that you in fact have malware on this server/PC on that local IP nr is quite easy to make. The false positive assumption is sadly because this IP nr belongs to MS, if wouldn't even come up if it was an unknown Russian IP."
Sorry but I don't get it, please could you explain this for me more clearly please
I was doing the windows updates on this machine <-- And your machine would be going out to Microsoft to do this.
VirusTotal received a lot of malware today. They take the malware, and run it (in a sandbox). They found out, more than a bunch of that malware submitted today, will look for that server 13.107.4.50 to get info or download stuff (not important for now).
The question now is, did your firewall block on the logic of:
- I scanned this traffic, it's bad traffic, there's malware talking on this 13.107.4.50 <> 192.168.0.151 line,
I'll block it now
THEN your PC has malware
OR
- I scanned this traffic, and in some database, it marked IP 13.107.4.50 as bad. I don't even care if it's for MS updates, I'll just mark it as bad anyway. Could be even just normal traffic.
THEN it's a false positive.
For now, I'm leaning more towards malware, it looks more like the server at 13.107.4.50 has been taken offline, probably to investigate these reports:
<h2>Our services aren't available right now</h2><p>We're working to restore all services as soon as possible. Please check back soon.</p>Ref A: FBABD80FECD2466DBF25A80EFC
The question now is, did your firewall block on the logic of:
- I scanned this traffic, it's bad traffic, there's malware talking on this 13.107.4.50 <> 192.168.0.151 line,
I'll block it now
THEN your PC has malware
OR
- I scanned this traffic, and in some database, it marked IP 13.107.4.50 as bad. I don't even care if it's for MS updates, I'll just mark it as bad anyway. Could be even just normal traffic.
THEN it's a false positive.
For now, I'm leaning more towards malware, it looks more like the server at 13.107.4.50 has been taken offline, probably to investigate these reports:
<h2>Our services aren't available right now</h2><p>We're working to restore all services as soon as possible. Please check back soon.</p>Ref A: FBABD80FECD2466DBF25A80EFC
ASKER
Yes John that correct and actually it did not update one windows update.
ASKER
I have scanned this PC with Malwerbytes and Trend its clean.
What else can I do?
What else can I do?
Put it down for a while (say until tomorrow). Then try updating Windows again and see what you get.
Finish one with more offline scan (antivirus boot dvd/usb).
ASKER
Okay which one ?
> 13.107.4.50 is a Microsoft site (whois lookup) and the local computer may simply be looking for Microsoft.
you can't believe this IP is safe simply because its owner is Microsoft.
the IP range from 13.64.0.0 to 13.107.255.255 (2,883,584 IPs!) is for MS Azure hence heaps of third party cloud based services, including malware services, are running there though its ultimate owner is Microsoft.
you can't believe this IP is safe simply because its owner is Microsoft.
the IP range from 13.64.0.0 to 13.107.255.255 (2,883,584 IPs!) is for MS Azure hence heaps of third party cloud based services, including malware services, are running there though its ultimate owner is Microsoft.
ASKER
Okay so what else should I do?
Format this computer ?
Format this computer ?
Turn the computer off, try a different computer out the same firewall. See if you get the same results.
If not, consider formatting the computer.
If Windows 7, use the recent rollup site to get most of the updates after SP1.
https://support.microsoft.com/en-ca/kb/3125574
If not, consider formatting the computer.
If Windows 7, use the recent rollup site to get most of the updates after SP1.
https://support.microsoft.com/en-ca/kb/3125574
only Bkav (1/55) is flagging it as a virus.. and it is a windows defender update signed by microsoft authenticode. It is a false positive.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Though, try to find out who initiated it (of course, probably the person behind that PC or server), but try to figure out, if it was an email, or something else that lead the user to click on the URL or executable.
Of course, it _COULD_ also mean the Trojan was already on that PC, and it just connected to that IP to look for new commands to execute. In that case, you have to take that PC/server offline, and do a full scan.