Windows has placed a dedicated line to Azure servers

mumpitz · 28 August 2023 11:35

So, normaly it could not be, because my traffic from win maschine is routing through a VPN and all other traffic is blocked. But in the connection overview from Ipfire I see 3 established connections with leasetime over 100h on Port 443.
windowsmaschine->WANIP —> MS-Server 443
Normal all connections from system should go over IPfire Squid Proxy or were blocked with winfirewall, but never direct connection, over eth0.
windowsmaschine->IPfire —>WANIP
and
WANIP ---->> TargetIP

I tried FW rules to stop this, I bull the cable for 2 minutes, but this 3 connections are not stopable.
Is Ipfire gui playing tricks with me?
I downloaded wirkshark on win maschine, listen on eth0, but nothing, I found nothing related to this 3 connections.
btw wireshark is stunning me, it scans every single package, i never saw this little 64KB packages so big, holy shit what a mass of data.

Anybody an Idea how to stop this connections ?

hvacguy · 28 August 2023 13:26

My only thought block Target ip

Block port 443 access with firewall rule

Or Change default firewall behavior to block.

eth0 · 28 August 2023 14:00

Do you have IDS with Emerging Threats signatures enabled?

If yes, check for this signature, it could be the Windows Device Metadata Retrieval Client (DMRC).

You can also locally create a policy by using “gpedit.msc”.

mumpitz · 31 August 2023 06:52

Thank you for the answers i solved this issue wirh the script to block companys and added the hole IP Range.

eth0 · 31 August 2023 09:57

I hope you don’t use any Microsoft Office products if you just randomly block Azure servers.

mumpitz · 2 September 2023 02:40

No sir, i use since beginning OpenOffice or now LibreOffice.