IPS log shows GPL_WEB_SERVER 403 Forbidden Attempted information leak

We have a handful of Windows 10 Pro machines on our network, and everyone of them is generating entries in the IPS log that look like this:

Date: 11/27 13:04:21 Name: GPL WEB_SERVER 403 Forbidden
Priority: 2 Type: Attempted Information Leak
IP info: [](:444/cgi-bin/ipinfo.cgi?ip=):3128 -> :62881
References: none found SID: 2101201

I’ve turned off all the privacy settings that I can find in Windows 10 Pro, I don’t have a way to tell what this is referencing. The log references SID 2101201, but I have not found any good explanations of what the rule is referencing and if it’s a concern.

Can anyone explain the rule, and what can be turned off on Windows 10 machines to turn off this kind of traffic?


I am not an expert at all when it comes to Windows, but as far as I know there is no chance to make it stop sending data to Microsoft. They will always do it.


although this topic is somewhat abandoned by now, I just wanted to add a quick footnote regarding Microsoft Windows telemetry traffic: The ET IPS ruleset contains a rule called “ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent”, which triggers very reliably and blocks at least some traffic that way.

Improving privacy is certainly not an average IPS use-case, but it seems to work. :expressionless:

Thanks, and best regards,
Peter Müller

Is the same rule in the Talos VRT rules for registered users?


please go ask that question somewhere else - this is not a support forum for Talos VRT.

Thanks, and best regards,
Peter Müller