Magnify Image

Anti-Virus/Anti-Malware Silent Rules

Sometimes SOC analysts forget about the confidentiallity threat from Anti-Virus(AV) and Anti-Malware(AM) solutions. Having had many painful converstations with 3rd party security providers and online AV scanners when SOAR platfroms have automatically uploaded confidential documents without manual user confirmation. You can find yourself having to negociate the deletion of files that contain business sensitive information or personal identifying information.

Florian Roth recently highlight this point in these tweets:

Florian tweet1

Florian tweet2

Florian Roth then tweeted about the following PDF from Germany’s BSI group about disabling Microsofts Telemetrics BSI Analyse_Telemetriekomponente_1_2.pdf

This post will cover the english translation on disabling the telemetrics outlined in the above document.

DNS blocking via /etc/hosts

The telemetry hostname list is as follows:

Hostname Location,,,, Ireland (IRL), Dublin,,, Ireland (IRL), Dublin, Virginia (US), Washington Virginia (US), Boyton Netherlands (NL), Amsterdam California (US), Los Angeles California (US), Los Angeles Wyoming (US), Cheyenne Iowa (US), Des Moines Virginia (US), Boydton Washington (US), Redmond

As is a non-routable address we can simply alter the /etc/hosts file (%windir%\system32\drivers\etc\ hosts)

This addition to the /etc/hosts file can easily be deployed through an organisation via “Group Policy” or a Orchestration platfrom such as Ansible or Puppet.

HTTP Proxies Blocking

Another method of blocking Windows telemetry, this by adding rules to your HTTP proxy. At Netscylla we are fans of Squid proxy, so here are the translated Squid instructions.

Example with squid proxy

Insert the data below into the file: /etc/squid/telemetry-domains.squid

Next add the following into your squid configuration file /etc/squid/squid.conf:

acl telemetry dstdomain “/etc/squid/telemetry-domains.squid”

Final step, is to enable the deny rule to the acl (again in the main squid config file) /etc/squid/squid.conf :

http_access deny telemetry


Today we have translated and covered two options of blocking Microsofts telemetrics, where Defender may upload a confidential file to Microsoft servers, for the purposes of malware research. There are many other ways involving different proxies, DNS servers, and Firewalls. You can easily translate the German BSI document and discover the solution that best works for your organisation. So happy reading!

Share on: