Why does Microsoft want to call home?

D

David Sherman

I downloaded all the patches yesterday.

One patch or was it MS Defender wanted to call home:

A file called MPCmdRun.exe wanted to call 207.46.236.88

WHY?

WhoIs Lookup performed by Karen's WhoIs
http://www.karenware.com/

OrgName: Microsoft Corp
OrgID: MSFT
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US

NetRange: 207.46.0.0 - 207.46.255.255
CIDR: 207.46.0.0/16
NetName: MICROSOFT-GLOBAL-NET
NetHandle: NET-207-46-0-0-1
Parent: NET-207-0-0-0-0
NetType: Direct Assignment
NameServer: NS1.MSFT.NET
NameServer: NS5.MSFT.NET
NameServer: NS2.MSFT.NET
NameServer: NS3.MSFT.NET
NameServer: NS4.MSFT.NET
Comment:
RegDate: 1997-03-31
Updated: 2004-12-09
RTechHandle: ZM39-ARIN
RTechName: Microsoft
RTechPhone: +1-425-882-8080
RTechEmail: (e-mail address removed)

OrgAbuseHandle: HOTMA-ARIN
OrgAbuseName: Hotmail Abuse
OrgAbusePhone: +1-425-882-8080
OrgAbuseEmail: (e-mail address removed)

OrgAbuseHandle: MSNAB-ARIN
OrgAbuseName: MSN ABUSE
OrgAbusePhone: +1-425-882-8080
OrgAbuseEmail: (e-mail address removed)

OrgAbuseHandle: ABUSE231-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-425-882-8080
OrgAbuseEmail: (e-mail address removed)

OrgNOCHandle: ZM23-ARIN
OrgNOCName: Microsoft Corporation
OrgNOCPhone: +1-425-882-8080
OrgNOCEmail: (e-mail address removed)

OrgTechHandle: MSFTP-ARIN
OrgTechName: MSFT-POC
OrgTechPhone: +1-425-882-8080
OrgTechEmail: (e-mail address removed)

# ARIN WHOIS database, last updated 2006-02-14 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.


Her is the MPCmdRun.log fle:



-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "C:\Program Files\Windows
Defender\MpCmdRun.exe" Scan -ScanType config -Privileges restricted
Start Time: Wed Feb 15 01:32:00 2006


Start: MpScan(MP_ANTISPYWARE, dwOptions=1)
Start: MpSignatureUpdate()
Update started (Type:Scheduled)

SearchStarted...Search Completed with hr: 0x00000000

Update completed succesfuly . no updates needed (hr:0x00000001)

Finish: MpSignatureUpdate()
MpCmdRun: End Time: Wed Feb 15 01:32:29 2006

-------------------------------------------------------------------------------------
 
G

Guest

It wanted to download updates to the spyware definitions... I'm suprised with
all te knowledge it seems you have (that was nice detective work there) that
you wouldn't see a need for it to download definitions like anti-virus. If
you are only protected from spyware made last year you might as well not even
bother running it... it has to update.
 
B

Bill Sanderson

Did you choose to participate in Spynet?

It wouldn't surprise me if the app reported getting the update--Windows
Defender signature updates can be part of a collection of patches offered by
AutoUpdate or WindowsUpdate, depending on how the timing works.
 
D

David Sherman

No Spynet for me.

Did you choose to participate in Spynet?

It wouldn't surprise me if the app reported getting the update--Windows
Defender signature updates can be part of a collection of patches offered by
AutoUpdate or WindowsUpdate, depending on how the timing works.
--
Click to expand...
 
G

Guest

WD's update uses windows update service, itself managed by svchost.exe. In ZA
this shows as Generic Host Processes for Win32 services. If you have that
with a green tick on internet access you won't get an alert when checking for
updates.

WD communicates with Spynet using MSAScui.exe, shown in ZA on my system as
'User Interface' (with the castle icon). It connects to 207.46.236.28.443,
spynet2.microsoft.com. If you don't want to connect to Spynet, block that one
in ZA.

David Sherman said:
No Spynet for me.
Click to expand...
 
G

Guest

Hmm... ...very interesting! Someone's spying you, be careful..

LOL

I was kiddin' but I don't think it's so strange: it's a spyware software and
it's also a beta. Maybe it was trying to report your "Installation
experience" (like Visual Studio 2005 does) or something similar. Maybe also
it was trying to upgrade its definitions using a strange way or.. ..maybe
"ZoneAlarm" stuck "young Defender" who ran to mom (Microsoft) cryin' . . .
ZoneAlarm VS Young Defender: the fight for the supremacy begins..

Still kiddin' but I have no more suggestions..

:D
 
D

David Sherman

I look at the Zone Alarm log on another machine. It didn't try to
access the Internet at all.

Both machines are basically the same.

Weird!!


WD's update uses windows update service, itself managed by svchost.exe. In ZA
this shows as Generic Host Processes for Win32 services. If you have that
with a green tick on internet access you won't get an alert when checking for
updates.

WD communicates with Spynet using MSAScui.exe, shown in ZA on my system as
'User Interface' (with the castle icon). It connects to 207.46.236.28.443,
spynet2.microsoft.com. If you don't want to connect to Spynet, block that one
in ZA.
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

KB934238 - file is printfilterpipleline.exe 2
funny result from netstat 4
Netstat question 9
Microsoft site 131.107.115.28 blocked as known malware site, why? 5
Hacker Information!!! 1
UDP Datagram? 3
Whois>backtrace: Layman's Terms? 1
Security Update for Windows XP (KB824146) 1

Top