Botnet:Blacklist

[Paul Blueberry]

Today I got this alert 5 times in an hour. The Process varies.

• Threat name: Botnet:Blacklist.
• URL: tcp://40.127.240.158:443 (VirusTotal links: IP, HTTPS)
• Process: C:\Windows\System32\svchost.exe, C:\Windows\UUS\Packages\Preview\amd64\MoUsoCoreWorker.exe, C:\Windows\System32\taskhostw.exe
• Detected by: Web Shield
• Status: Connection aborted

How to get rid of this?



Visiting https://40.127.240.158 gives a certificate error. The certificate is not issued to this domain name, but to settings.data.microsoft.com. Pinging this pings several IP addresses. Sometimes it is the IP address in question. Examples (each line is the first line of the output of ping settings.data.microsoft.com):

Code: [Select]

Pinging settings-prod-neu-1.northeurope.cloudapp.azure.com [40.127.240.158] with 32 bytes of data:
Pinging settings-prod-neu-2.northeurope.cloudapp.azure.com [51.104.136.2] with 32 bytes of data:
Pinging settings-prod-neu-3.northeurope.cloudapp.azure.com [4.231.128.59] with 32 bytes of data:


[chris...]

It would appear that avast has recently detected a botnet threat on several (legitimate) Windows executables.
in french forum:
https://forum.avast.com/index.php?topic=328364.0
Try sending these executables to avast to check whether they are false positives:
https://www.avast.com/report-false-positive#pc

[DavidR]

This wouldn't be the first time that svchost.exe has been misused in this way.  Being a system file, commonly it will get through because of it being a signed system file.

I have to wonder what it is that is misusing the svchost.exe file in this way.

That said the IP given by the 'Paul Blueberry' is for Microsoft Azure in Dublin, Leinster, D02, Ireland. according to an IP check.

[chris...]

.... The Process varies....

The alert isn't just for the svchost.exe process, but for loads of other Windows processes (devicecensus, taskhostx, ruximics, etc.), all more or less linked to MS telemetry and/or datalogging.
These false positives? (avast/avg) are the subject of numerous comments on Reddit.


I'm thinking more of a problem with the monthly Windows update last Tuesday, it wouldn't be the first time that avast has had problems just after the Windows update.

[Paul Blueberry]

I got only those 5 alerts yesterday. Fortunately no more.

Anyhow, is there a way to filter them? Say, if Threat name = Botnet:Blacklist and URL = tcp://40.127.240.158:443, then don't alert me.

[DavidR]

Adding an exclusion would leave you at risk (if this isn't legit) and possibly not what you are seeking. 
As  chris... mentions there are legit uses for svchost.exe connecting the internet, you could report it as a possible false positive.

However as I said that IP is located in Dublin, Leinster, D02, Ireland. It is assigned to the ISP Microsoft Azure.

Given the connection is initiated by svchost.exe would wonder why it is connecting to that IP, would you have any ms software that might be using Microsoft Azure  ?

What is TCP? Transmission Control Protocol (TCP) is a communications standard that enables application programs and computing devices to exchange messages over a network. It is designed to send packets across the internet and ensure the successful delivery of data and messages over networks.

Does that ring any bells e.g. delivery/exchange of data/messages.

Azure, also known as Microsoft Azure, is a cloud computing platform and a suite of cloud services offered by Microsoft. It provides a wide range of cloud-based services and solutions that enable organizations to build, deploy, and manage applications and services through Microsoft's global network of data centers.

[Paul Blueberry]

Suppose, I accept the risk. Will I get an answer?

[DavidR]

Suppose, I accept the risk. Will I get an answer? ?

An answer from whom ?
If your only action is to set an exclusion you won't get anything - have you reported it as a possible false positive as suggested by chris... reply #1 ?

[Paul Blueberry]

I think, this means no, you won't answer it. Maybe someone else?

[DavidR]

I think, this means no, you won't answer it. Maybe someone else?

You weren't specific on where you were hoping to get an answer, or if you had sought it out.

The answer is already in the topic, "Adding an exclusion would leave you at risk (if this isn't legit) and possibly not what you are seeking."
If 'you accept the risk' by adding an exclusion.

[Paul Blueberry]

Your post can be easily misunderstood. My question was "is there a way to filter them?". You answered "Adding an exclusion would leave you at risk", which sounds like you ignored my question, focused on the context of it (it's a good idea to filter them) and replied to that (it's a bad idea, don't do that, it's risky). You didn't answer, whether there is a way to filter them or not. My understanding of your answer was that you don't know, but you also don't care, whether they can be filtered or not, anyway I should accept, that it would be a bad idea to filter them, and since it's a bad idea, the question "how to filter?" can be ignored.

Subsequently, I stressed, that I don't want the question be ignored based on invalidating the context of it. You didn't want to answer again.

Then I turned to other people in a new topic, dedicated to this question only. They answered it, without digressing to related topics, like is it good or bad.

[DavidR]

Adding an exclusion as mentioned is one way to exclude/filter, the other topic confirms that, within Avast there is no other way and it isn't without risk.

On a publicly available forum any advise given should always mention the risk involved of adding an exclusion.

[chris...]

I think you've got the wrong end of the stick.
As I said on the other subject, Paul Blueberry wasn't so much waiting to know what to do, but how to do it, i.e. to obtain a FAQ on the procedure for placing a file under exclusion ... now that he knows the risks, he's free to do what he wants.

[DavidR]

I have only responded to what has been directly asked (which hasn't always been clear) - and that still amounts to adding an exclusion - which isn't rocket science.

[Paul Blueberry]

No, you didn't answer directly. You ignored the question and digressed. Let's clarify. Saying "Adding an exclusion would leave you at risk" (link) doesn't mean to me, that there is a way to add exclusions (which you forget to mention, how, despite that was the question), when I'm asking whether there is a way to add exclusions.

It was very hard to communicate with you. Please, mind your English. Look carefully, what's been written.

As for the rocket science. I just looked at the bad place in the app, didn't find it there, and thought I'll ask it on the forum. Getting information from Google is sometimes easy, sometimes hard. I had the wrong term on mind. Google for Avast filter alerts gives you nothing, whereas searching for Avast exceptions directs you to the answer in the first result.

Anyway, thank you all for your help. It's sad, that Avast can't set the filters/rules I desired. Fortunately, the need for them ended soon.