Why does Microsoft want to call home?

  • Thread starter Thread starter David Sherman
  • Start date Start date
D

David Sherman

I downloaded all the patches yesterday.

One patch or was it MS Defender wanted to call home:

A file called MPCmdRun.exe wanted to call 207.46.236.88

WHY?

WhoIs Lookup performed by Karen's WhoIs
http://www.karenware.com/

OrgName: Microsoft Corp
OrgID: MSFT
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US

NetRange: 207.46.0.0 - 207.46.255.255
CIDR: 207.46.0.0/16
NetName: MICROSOFT-GLOBAL-NET
NetHandle: NET-207-46-0-0-1
Parent: NET-207-0-0-0-0
NetType: Direct Assignment
NameServer: NS1.MSFT.NET
NameServer: NS5.MSFT.NET
NameServer: NS2.MSFT.NET
NameServer: NS3.MSFT.NET
NameServer: NS4.MSFT.NET
Comment:
RegDate: 1997-03-31
Updated: 2004-12-09
RTechHandle: ZM39-ARIN
RTechName: Microsoft
RTechPhone: +1-425-882-8080
RTechEmail: (e-mail address removed)

OrgAbuseHandle: HOTMA-ARIN
OrgAbuseName: Hotmail Abuse
OrgAbusePhone: +1-425-882-8080
OrgAbuseEmail: (e-mail address removed)

OrgAbuseHandle: MSNAB-ARIN
OrgAbuseName: MSN ABUSE
OrgAbusePhone: +1-425-882-8080
OrgAbuseEmail: (e-mail address removed)

OrgAbuseHandle: ABUSE231-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-425-882-8080
OrgAbuseEmail: (e-mail address removed)

OrgNOCHandle: ZM23-ARIN
OrgNOCName: Microsoft Corporation
OrgNOCPhone: +1-425-882-8080
OrgNOCEmail: (e-mail address removed)

OrgTechHandle: MSFTP-ARIN
OrgTechName: MSFT-POC
OrgTechPhone: +1-425-882-8080
OrgTechEmail: (e-mail address removed)

# ARIN WHOIS database, last updated 2006-02-14 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.


Her is the MPCmdRun.log fle:



-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "C:\Program Files\Windows
Defender\MpCmdRun.exe" Scan -ScanType config -Privileges restricted
Start Time: Wed Feb 15 01:32:00 2006


Start: MpScan(MP_ANTISPYWARE, dwOptions=1)
Start: MpSignatureUpdate()
Update started (Type:Scheduled)

SearchStarted...Search Completed with hr: 0x00000000

Update completed succesfuly . no updates needed (hr:0x00000001)

Finish: MpSignatureUpdate()
MpCmdRun: End Time: Wed Feb 15 01:32:29 2006

-------------------------------------------------------------------------------------
 
It wanted to download updates to the spyware definitions... I'm suprised with
all te knowledge it seems you have (that was nice detective work there) that
you wouldn't see a need for it to download definitions like anti-virus. If
you are only protected from spyware made last year you might as well not even
bother running it... it has to update.
 
Did you choose to participate in Spynet?

It wouldn't surprise me if the app reported getting the update--Windows
Defender signature updates can be part of a collection of patches offered by
AutoUpdate or WindowsUpdate, depending on how the timing works.
 
No Spynet for me.

Did you choose to participate in Spynet?

It wouldn't surprise me if the app reported getting the update--Windows
Defender signature updates can be part of a collection of patches offered by
AutoUpdate or WindowsUpdate, depending on how the timing works.
--
 
WD's update uses windows update service, itself managed by svchost.exe. In ZA
this shows as Generic Host Processes for Win32 services. If you have that
with a green tick on internet access you won't get an alert when checking for
updates.

WD communicates with Spynet using MSAScui.exe, shown in ZA on my system as
'User Interface' (with the castle icon). It connects to 207.46.236.28.443,
spynet2.microsoft.com. If you don't want to connect to Spynet, block that one
in ZA.

David Sherman said:
No Spynet for me.
 
Hmm... ...very interesting! Someone's spying you, be careful..

LOL

I was kiddin' but I don't think it's so strange: it's a spyware software and
it's also a beta. Maybe it was trying to report your "Installation
experience" (like Visual Studio 2005 does) or something similar. Maybe also
it was trying to upgrade its definitions using a strange way or.. ..maybe
"ZoneAlarm" stuck "young Defender" who ran to mom (Microsoft) cryin' . . .
ZoneAlarm VS Young Defender: the fight for the supremacy begins..

Still kiddin' but I have no more suggestions..

:D
 
I look at the Zone Alarm log on another machine. It didn't try to
access the Internet at all.

Both machines are basically the same.

Weird!!


WD's update uses windows update service, itself managed by svchost.exe. In ZA
this shows as Generic Host Processes for Win32 services. If you have that
with a green tick on internet access you won't get an alert when checking for
updates.

WD communicates with Spynet using MSAScui.exe, shown in ZA on my system as
'User Interface' (with the castle icon). It connects to 207.46.236.28.443,
spynet2.microsoft.com. If you don't want to connect to Spynet, block that one
in ZA.
 
Back
Top