Windows has placed a dedicated line to Azure servers

So, normaly it could not be, because my traffic from win maschine is routing through a VPN and all other traffic is blocked. But in the connection overview from Ipfire I see 3 established connections with leasetime over 100h on Port 443.
windowsmaschine->WANIP —> MS-Server 443
Normal all connections from system should go over IPfire Squid Proxy or were blocked with winfirewall, but never direct connection, over eth0.
windowsmaschine->IPfire —>WANIP
and
WANIP ---->> TargetIP

I tried FW rules to stop this, I bull the cable for 2 minutes, but this 3 connections are not stopable.
Is Ipfire gui playing tricks with me?
I downloaded wirkshark on win maschine, listen on eth0, but nothing, I found nothing related to this 3 connections.
btw wireshark is stunning me, it scans every single package, i never saw this little 64KB packages so big, holy shit what a mass of data.

Anybody an Idea how to stop this connections ?

My only thought block Target ip

Block port 443 access with firewall rule

Or Change default firewall behavior to block.

Do you have IDS with Emerging Threats signatures enabled?

If yes, check for this signature, it could be the Windows Device Metadata Retrieval Client (DMRC).

You can also locally create a policy by using “gpedit.msc”.

Thank you for the answers i solved this issue wirh the script to block companys and added the hole IP Range.

I hope you don’t use any Microsoft Office products if you just randomly block Azure servers. :slightly_smiling_face:

No sir, i use since beginning OpenOffice or now LibreOffice.

2 Likes