Trojan Blocked on My firewall help

Hi I have noticed this on my firewall. I have checked IP and it belongs Azure Microsoft what is going here?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

For now, I'm just assuming one PC/server on your network with IP nr is trying to get the Agent.FL/Trojan executable on that server. And it probably failed, so it's all good.
Though, try to find out who initiated it (of course, probably the person behind that PC or server), but try to figure out, if it was an email, or something else that lead the user to click on the URL or executable.
Of course, it _COULD_ also mean the Trojan was already on that PC, and it just connected to that IP to look for new commands to execute. In that case, you have to take that PC/server offline, and do a full scan.
JohnBusiness Consultant (Owner)Commented: is a Microsoft site (whois lookup) and the local computer may simply be looking for Microsoft.

Have you scanned this machine for malware?  Scan also with Malwarebytes.
yodaaAuthor Commented:
So it could be false positive ?

as on this time I was doing the windows updates on this machine

I'm running malwerbytes now
Virus Depot: Cyber Crime Becomes Big Business

The rising threat of malware-as-a-service is not one to be overlooked. Malware-as-a-service is growing and easily purchased from a full-service cyber-criminal store in a “Virus Depot” fashion. View our webinar recording to learn how to best defend against these attacks!

JohnBusiness Consultant (Owner)Commented:
Yes, it could be a false positive.
While it's unfortunate this MS IP nr is (or apparently WAS) used as a Windows Update server, there are still signs that something is amiss. According to VirusTotal, quite some malware from the past day have been malware that tries to communicate with this IP nr (I assume someone probably hacked it, to redistribute malware or to use it as a Command & Control center. Could even be a typo on the hackers part).
Therefore, the assumption that you in fact have malware on this server/PC on that local IP nr is quite easy to make. The false positive assumption is sadly because this IP nr belongs to MS, if wouldn't even come up if it was an unknown Russian IP. (this is the part I'm talking about: Latest detected files that communicate with this IP address
Latest files submitted to VirusTotal that are detected by one or more antivirus solutions and communicate with the IP address provided when executed in a sandboxed environment.)
yodaaAuthor Commented:

"Therefore, the assumption that you in fact have malware on this server/PC on that local IP nr is quite easy to make. The false positive assumption is sadly because this IP nr belongs to MS, if wouldn't even come up if it was an unknown Russian IP."

Sorry but I don't get it, please could you explain this for me more clearly please
JohnBusiness Consultant (Owner)Commented:
I was doing the windows updates on this machine  <-- And your machine would be going out to Microsoft to do this.
VirusTotal received a lot of malware today. They take the malware, and run it (in a sandbox). They found out, more than a bunch of that malware submitted today, will look for that server to get info or download stuff (not important for now).
The question now is, did your firewall block on the logic of:
- I scanned this traffic, it's bad traffic, there's malware talking on this <> line,
I'll block it now
THEN your PC has malware


- I scanned this traffic, and in some database, it marked IP as bad. I don't even care if it's for MS updates, I'll just mark it as bad anyway. Could be even just normal traffic.
THEN it's a false positive.

For now, I'm leaning more towards malware, it looks more like the server at has been taken offline, probably to investigate these reports:

<h2>Our services aren't available right now</h2><p>We're working to restore all services as soon as possible. Please check back soon.</p>Ref A: FBABD80FECD2466DBF25A80EFC62A66D Ref B: 56574FD253F08480EBE49E94638C097F Ref C: Fri Jul 15 08:38:46 2016 PST
yodaaAuthor Commented:
Yes John that correct and actually it did not update one windows update.
yodaaAuthor Commented:
I have scanned this PC with Malwerbytes and Trend its clean.
What else can I do?
JohnBusiness Consultant (Owner)Commented:
Put it down for a while (say until tomorrow). Then try updating Windows again and see what you get.
Finish one with more offline scan (antivirus boot dvd/usb).
yodaaAuthor Commented:
Okay which one ?
bbaoIT ConsultantCommented:
> is a Microsoft site (whois lookup) and the local computer may simply be looking for Microsoft.

you can't believe this IP is safe simply because its owner is Microsoft.

the IP range from to (2,883,584 IPs!) is for MS Azure hence heaps of third party cloud based services, including malware services, are running there though its ultimate owner is Microsoft.
yodaaAuthor Commented:
Okay so what else should I do?

Format this computer ?
JohnBusiness Consultant (Owner)Commented:
Turn the computer off, try a different computer out the same firewall. See if you get the same results.

If not, consider formatting the computer.

If Windows 7, use the recent rollup site to get most of the updates after SP1.
David Johnson, CD, MVPOwnerCommented:
only Bkav (1/55) is flagging it as a virus.. and it is a windows defender update signed by microsoft authenticode. It is a false positive.
It would be a false positive if most Windows update servers were reported (not where you're looking, I already explained I looked at "Latest detected files that communicate with this IP address". However, I checked others, and they're clean (or at least for this year). It clearly means this server was targeted for whatever reason, and it's too much of a coincidence that the server was taken offline, while the reports of analyzed malware keep trying to connect to it.
It's more likely the firewall detected the malware connection, than having it mark the connection as a false positive. If it wasn't a firewall, but the virus scanner, you maybe could argue it could be a false positive IF IT used the same engine Bkav engine, but it's not a virus scanner, it was the traffic that alerted the firewall.
Original asker can confirm this, if the Firewall works in conjunction with antivirus INSTALLED on the computer. If there's no such software, the firewall can't detect the malware, only the traffic, meaning, it's not a false positive, it really scanned the traffic only and that fired off the alert.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.