Magnify Image

Anti-Virus/Anti-Malware Silent Rules

Sometimes SOC analysts forget about the confidentiallity threat from Anti-Virus(AV) and Anti-Malware(AM) solutions. Having had many painful converstations with 3rd party security providers and online AV scanners when SOAR platfroms have automatically uploaded confidential documents without manual user confirmation. You can find yourself having to negociate the deletion of files that contain business sensitive information or personal identifying information.

Florian Roth recently highlight this point in these tweets:

Florian tweet1

Florian tweet2

Florian Roth then tweeted about the following PDF from Germany’s BSI group about disabling Microsofts Telemetrics BSI Analyse_Telemetriekomponente_1_2.pdf

This post will cover the english translation on disabling the telemetrics outlined in the above document.

DNS blocking via /etc/hosts

The telemetry hostname list is as follows:

Hostname Location
geo.settings-win.data.microsoft.com.akadns.net, db5-eap.settings-win.data.microsoft.com.akadns.net, settings-win.data.microsoft.com, db5.settings-win.data.microsoft.com.akadns.net, asimov-win.settings.data.microsoft.com.akadns.net Ireland (IRL), Dublin
db5.vortex.data.microsoft.com.akadns.net, v10-win.vortex.data.microsoft.com.akadns.net, geo.vortex.data.microsoft.com.akadns.net, v10.vortex-win.data.microsoft.com Ireland (IRL), Dublin
v10.events.data.microsoft.com, v20.events.data.microsoft.com Virginia (US), Washington
us.vortex-win.data.microsoft.com Virginia (US), Boyton
eu.vortex-win.data.microsoft.com Netherlands (NL), Amsterdam
vortex-win-sandbox.data.microsoft.com California (US), Los Angeles
alpha.telemetry.microsoft.com California (US), Los Angeles
oca.telemetry.microsoft.com Wyoming (US), Cheyenne
ceuswatcab01.blob.core.windows.net ceuswatcab02.blob.core.windows.net Iowa (US), Des Moines
eaus2watcab01.blob.core.windows.net eaus2watcab02.blob.core.windows.net Virginia (US), Boydton
weus2watcab01.blob.core.windows.net weus2watcab02.blob.core.windows.net Washington (US), Redmond

As 0.0.0.0 is a non-routable address we can simply alter the /etc/hosts file (%windir%\system32\drivers\etc\ hosts)

0.0.0.0 geo.settings-win.data.microsoft.com.akadns.net 
0.0.0.0 db5-eap.settings-win.data.microsoft.com.akadns.net 
0.0.0.0 settings-win.data.microsoft.com
0.0.0.0 db5.settings-win.data.microsoft.com.akadns.net
0.0.0.0 asimov-win.settings.data.microsoft.com.akadns.net
0.0.0.0 db5.vortex.data.microsoft.com.akadns.net
0.0.0.0 v10-win.vortex.data.microsoft.com.akadns.net
0.0.0.0 geo.vortex.data.microsoft.com.akadns.net
0.0.0.0 v10.vortex-win.data.microsoft.com
0.0.0.0 v10.events.data.microsoft.com
0.0.0.0 v20.events.data.microsoft.com
0.0.0.0 us.vortex-win.data.microsoft.com
0.0.0.0 eu.vortex-win.data.microsoft.com
0.0.0.0 vortex-win-sandbox.data.microsoft.com
0.0.0.0 alpha.telemetry.microsoft.com
0.0.0.0 oca.telemetry.microsoft.com
0.0.0.0 ceuswatcab01.blob.core.windows.net
0.0.0.0 ceuswatcab02.blob.core.windows.net
0.0.0.0 eaus2watcab01.blob.core.windows.net
0.0.0.0 eaus2watcab02.blob.core.windows.net
0.0.0.0 weus2watcab01.blob.core.windows.net
0.0.0.0 weus2watcab02.blob.core.windows.net

This addition to the /etc/hosts file can easily be deployed through an organisation via “Group Policy” or a Orchestration platfrom such as Ansible or Puppet.

HTTP Proxies Blocking

Another method of blocking Windows telemetry, this by adding rules to your HTTP proxy. At Netscylla we are fans of Squid proxy, so here are the translated Squid instructions.

Example with squid proxy

Insert the data below into the file: /etc/squid/telemetry-domains.squid

geo.settings-win.data.microsoft.com.akadns.net
db5-eap.settings-win.data.microsoft.com.akadns.net
settings-win.data.microsoft.com
db5.settings-win.data.microsoft.com.akadns.net
asimov-win.settings.data.microsoft.com.akadns.net
db5.vortex.data.microsoft.com.akadns.net
v10-win.vortex.data.microsoft.com.akadns.net
geo.vortex.data.microsoft.com.akadns.net
v10.vortex-win.data.microsoft.com
v10.events.data.microsoft.com
v20.events.data.microsoft.com
us.vortex-win.data.microsoft.com
eu.vortex-win.data.microsoft.com
vortex-win-sandbox.data.microsoft.com
alpha.telemetry.microsoft.com
oca.telemetry.microsoft.com
ceuswatcab01.blob.core.windows.net
ceuswatcab02.blob.core.windows.net
eaus2watcab01.blob.core.windows.net
eaus2watcab02.blob.core.windows.net
weus2watcab01.blob.core.windows.net
weus2watcab02.blob.core.windows.net

Next add the following into your squid configuration file /etc/squid/squid.conf:

acl telemetry dstdomain “/etc/squid/telemetry-domains.squid”

Final step, is to enable the deny rule to the acl (again in the main squid config file) /etc/squid/squid.conf :

http_access deny telemetry

Conclusion

Today we have translated and covered two options of blocking Microsofts telemetrics, where Defender may upload a confidential file to Microsoft servers, for the purposes of malware research. There are many other ways involving different proxies, DNS servers, and Firewalls. You can easily translate the German BSI document and discover the solution that best works for your organisation. So happy reading!


Share on: