Are Microsoft webservices safe behind next public IP 209.197.3.8?

That's a known, published Microsoft Edge update server that devices performing malware scanning of downloads can sometimes trigger on, since these updates can include strings or signatures within them that 3rd-party security products may also detect as malicious.

The following excerpt and URL provide a list of these servers and suggest adding these to allow lists, or in your case as exceptions to malware scanning, since these sorts of false positive detections can always occur when such downloads contain similar signature packs relating to malicious code.

"Locations Microsoft Edge can be downloaded from during an initial install or when an update is available. The download location is determined by the Update Service."

Allow list for Microsoft Edge endpoints | Microsoft Learn

Rob

Thanks Rob,

Cisco submitted a ticket with Talos team. We are waitning response from them.

Marko

What was their reply?

Hi Microsoft,

I am getting a ton of alerts from a bunch of my client firewalls all pointing to 209.197.3.8 as the problem, but that apparently is used for Microsoft Update. So, false alert I am guessing. Please fix this!

Who should fix what RAVI?

This both isn't Microsoft, it's a consumer forum run mostly by volunteers. And the problem isn't with Microsoft, it's with whatever firewalls or other security apps are detecting the Microsoft Edge browser update files as false positives.

Rob

We're seeing malware today

(htm email attachments with obfuscated javascript) that spins up a chrome browser, impersonates M365 logins to act as a man-in-the middle password capture.

It grabs resources from the Microsoft servers as part of it's behaviour, including communicating with this HWCDN ip 209.197.3.8.

Submitted to virustotal, Microsoft, others

Only Kaspersky and Zonealarm currently report it as a trojan on Virustotal.

(Any chance of a easy way to quarantine all "script" & "input" containing html email and attachments, Microsoft?)

Cisco support had been informed about these events.

Support had escalated case to Talos team.

This was the Talos answer:

"This appears to be a shared IP address. It's possible that this IP address is used for legitimate services, however it is likely getting abused by malicious actors. This IP address was exhibiting signs of malicious activity and was thereby added to the Talos blocklist".

This is something that Microsoft needs to deal with.

Dump that useless Cisco crap.

Anyone with that bad of an operations group that they can't understand the information I provided to you regarding the fact these signature detections are occurring within portions of the Microsoft Edge browser updates is obviously not worth paying for their 'protection'.

On top of that the Microsoft document I referenced about this IP address in my first post above indicates that these are official Microsoft servers, so the idea these are 'shared' IPs with anyone outside Microsoft is ludicrous. In fact, it's more likely that they are operating from a [possibly 3rd-party] CDN, since virtually all Microsoft update services have been operating in this way for decades now, so that's possibly why a less than knowledgeable technical group might misunderstand these IPS as 'shared'.

I spent 20 years as a network administrator and the rest of my career a security professional in engineering education, Whitebox manufacturing and 3rd-party security firms, often dealing with similar issues myself with the antivirus and firewall security app portions of 3rd-party vendors.

These products are notorious for detecting the signatures from other products and occasionally even their own as the malware they are intended to detect, since obviously the industry practice of sharing malware signature data between providers means they'll detect each other's signature packs when not obfuscated.

I learned long ago to either disable these firewall-based antivirus products or be prepared to spend lots of time chasing ghosts, since at the time whitelisting individual source IPs was difficult if not impossible.

It's up to you how you choose to deal with this, but Microsoft has nothing to 'fix', since the problem is with another company's product that's doing an obviously stupid thing, since literally millions of Microsoft Edge installations around the world are receiving exactly the same malware detection packs and having no difficulty with their delivery or we'd be seeing many thousands of such reports from other 3rd-party product users here as well.

Try to think logically, which scenario actually makes sense?

And for future reference, you're posting in a Microsoft Community forum for consumers that typically doesn't try to handle such questions, since to most volunteers and contractors helping here these commercial issues are outside their areas of expertise. I just answered the initial post since as a past admin/security professional, the true issue was obvious.

However, I'll now direct you instead to the Microsoft Learn - Q&A forums where you should be posting instead, so all of the administrators and other professionals there can tell you the same things I already have.

Questions - Microsoft Q&A

Related note: I just did a search and though it isn't related to this particular Microsoft server, someone posted at the Cisco Community with a similar issue of false detections on both Adobe and Eset servers. Please note that the answer from a Cisco Community VIP Advisor was to create a list of whitelisted URL not to perform inspection on, including those like Microsoft Apple, Cisco, Adobe, etc. Might want to post your query there as well, since those are people truly in the field, not some back-room at a vendor.

IPS False positives on Malware signatures - Cisco Community

Rob

I'm deeply convinced of your authority and I'm not so skilled to object to anything.
The problem is that unidentified sources from the Darknet are convinced that the IP in subject is connected, in a way that's not clarified, with a second generation of Info Stealer Software sold nowadays on those obscure markets.
Agree with you that tampering port 80 is so visible that I can't comprehend the strategy if it exists.
Furthermore, blocking this IP does not create problems for Edge updates, in all its channels.
If you change IP address the tampering disappears for a while or even for a day, then starts back again and no evident side effects occur if you block it.
The same happens with 204.79.197.203 that someone thinks may be related to Ursnif Gozi or the 72.21.81.240 manipulated, according to another dark commentator, by the "Turla" crew.
Maybe some Edge "add-ons" may use these MS Azure/CDN legit addresses as a proxy.
Anyway, nothing happened to me, and my data has not been exposed in any relevant breach report.
After "Solarwinds" case, which crossed an important security red line, people in admin positions are ever more nervous.

Let's take it a little easier.

Let me focus what I stated in my post above more clearly for those here who still don't get it.

These forums aren't monitored by Microsoft internal management and are intended for consumer users, so this subject won't receive any recognition from Microsoft itself here.

For that reason, anyone who still believes that network-based monitoring for malware targeted at end-user devices is a good idea (my bias based on a history as an administrator and security professional should be clear by now), should instead be posting to the Microsoft Learn - Q&A forums instead, since those are manned by at least a few true Microsoft employees, as well as visited by other IT employees from various companies.

I don't know which Q&A forum might be the best choice, so I've simply linked to the top-level entry point and leave it to you to determine that for yourself.

To clarify my statements about network-based malware detection further, I was employed at firms that sold both Cisco and 3rd-party firewall/content management devices during my career and saw little but false positive detections and management hassles, while due to constantly changing encryption techniques, only a tiny handful of the malicious attacks passing through these devices were detected anyway. The nearly constant chasing down of false positive and other problematic management issues eventually convinced me that the only appropriate place to attempt to manage malware is the end-point device, since that's what you're truly attempting to protect.

I don't know whether the detections you're receiving via this Cisco notification are accurate or not, but as an administrator I would have cared less, since even in the early 2000's roughly half of my managed devices were regularly operating outside the organization's network perimeter, so I'd have needed to protect those devices from the same potential attacks despite not having this additional protection. Thus, for me, the network-based malware detection simply added useless overhead attempting to explain issues similar to this one, while at the same time the end-point detection performed relatively effectively and silently, doing precisely what it was intended to do.

So, make your own choice. Continue chasing down this potential malware, or ghost, for Cisco, or concentrate on the end-point protection that's truly your last line of defense and thus far more critical regardless of whether the network-based protection manages to catch a small percentage of these items before they reach the intended target.

Rob