Download Site

[Question]

Before I download this Antispyware Beta.
Where am I downloading it from? Microsoft or Somewhere
else?
PopUp windows says,
Name:MicrosoftAntiSpywareInstall.exe
Type: Application, 6.22MB
From: download.microsoft.com

The IP Address of download.microsoft.com is
208.172.158.219

OrgName: Savvis
OrgID: SAVVI-3
Address: 3300 Regency Parkway
City: Cary
StateProv: NC
PostalCode: 27511
Country: US

Does this sound correct?
They should state on the Download page of where it is
being downloaded from so you know it is correct.
As your PC may already have some malware/spyware on it
already and your PC may be redirected to a phoney site
for the download.
Anyway, any replies welcome.

 

[Bill Sanderson]

I'm wondering what popup window you are referring to?

Are you going via a known-good
location--http://www.microsoft.com/spyware/software
for example?

When I have the file download security warning up on my machine, I don't
find a connection to the address you cite--but the download server addresses
are likely different geographically.

 

[Guest]

Before I download this Antispyware Beta.
Where am I downloading it from? Microsoft or Somewhere
else?
PopUp windows says,
Name:MicrosoftAntiSpywareInstall.exe
Type: Application, 6.22MB
From: download.microsoft.com

The IP Address of download.microsoft.com is
208.172.158.219

OrgName: Savvis
OrgID: SAVVI-3
Address: 3300 Regency Parkway
City: Cary
StateProv: NC
PostalCode: 27511
Country: US

Does this sound correct?
They should state on the Download page of where it is
being downloaded from so you know it is correct.
As your PC may already have some malware/spyware on it
already and your PC may be redirected to a phoney site
for the download.
Anyway, any replies welcome.

As long as you start on a Microsoft web page, like
http://www.microsoft.com/spyware, to find the link to the download then
it is from Microsoft. Microsoft employs services from many 3rd party
vendors for world-wide load-balancing of downloads. They also employ
Akamai (maybe to run Microsoft's SUS) for load-balancing of Windows
Update.

If you do an "nslookup download.microsoft.com", you'll see the IP
addresses that are returned. There are multiple resolutions for that IP
name, one of which is the IP address you specified. You could check
your hosts file to make sure there wasn't some local lookup definition
for download.microsoft.com which took you elsewhere. You could even add
your own entry here but you can only specify a single IP address for the
local lookup, like "64.4.21.254 download.microsoft.com" to ensure the IP
name goes to that specify IP address (but malware that runs as a proxy
or an LSP (layered service provider) in the TCP layer could still
redirect you elsewhere). You could simply go to another host (not under
your control to obviate you installing the same malware on both hosts),
download the file, download it again on your host, and do a binary file
compare on the two.

The IP name shown in the download dialog may be from a DNS lookup on the
IP address that was actually specified. Since a reverse DNS lookup on
download.microsoft.com returns several IP addresses, any one of those
might have been what was actually specified for the download but the
download dialog did the IP address lookup and shows you the IP name
(which has several IP addresses for it). You could check your
firewall's logs to see to where you computer acutally connects during
the download. In my case, the download dialog said that the file would
be retrieved from download.microsoft.com but the firewall shows that I
connected to 64.4.21.254 (which is allocated to Microsoft's Hotmail
domain).

In fact, if you repeatedly run "nslookup download.microsoft.com" you
will notice the list of IP address will change. In one run of nslookup,
4.79.74.61 was listed and that is allocated to Level3 Communications.

 

[Bill Sanderson]

Thanks--I knew there was a better answer than I was coming up with!

 

[Andre Da Costa]

Very good and informative answer Vanguard!

 

[Question]

Thanks for the reply Bill,
Yes, I'm going via the Microsoft AntiSpyware site.
The popup window that comes up is a warning that you are
about to download a file from the internet (In Internet
Options I have a prompt on file downloads).
The IP address info came from my firewall log (that
didn't popup, I looked at that manually), it logged the
IP Address of download.microsoft.com as 208.172.158.219.
I assumed that it would have been a 207.xxx.xxx.xxx
address, so I did a whois and that was the info that came
back.
I wasn't sure if the downloaded file came from an
trustworthy site or not.

 

[Question]

Thanks Vanguard for the very informative reply,
Yep, started on the 'Official' Microsoft web page.
I didn't even think that, due to traffic load etc, that
they may redirect requested downloads to different third
party servers.
Interesting info about the nslookup.
I have not entered any IP addresses in my Hosts file.
I cannot double check by downloading the file from a
different host computer as another host is not available
to me(but that would be a good way to compare).
The popup window was only for the file download (prompt
warning) in Internet Explorer. I actually got the IP
address after I had a look in my firewall log,
download.microsoft.com (208.172.158.219) and did a whois
on that 208.xxx address.
Sorry for the confusion.
Maybe I'm looking too closely at my firewall logs at the
moment and being overly cautious. lol
As you said, the IP addresses do change quite alot.
Atleast I have learn't something from it all.
Thankyou.

 

[Bill Sanderson]

This looks legit to me. I did a google on the keys "savvis microsoft
download" and got, among other hits this one:
http://bink.nu/?CategoryID=37

(use a text search on savvis to find the relevant paragraph.) Looks like
these folks provide services akin to those provided by Akamai, whose name is
more familiar, I suspect. Akamai used Linux machines for some functionality
which led to some sniping about Microsoft hosting services on Linux, which
wasn't the case. Savvis uses Windows Server 2003.

 

[Bill Sanderson]

Yes--if you read here:

http://bink.nu/?CategoryID=37

(search on savvis)--it appears that Savvis provides services like those
provided by Akamai, but with the plus of not using Linux, which caused some
sniping earlier about Microsoft hosting services on Linux, which really
wasn't the case.