Symantec ATP 4.x: High risk on Windows update en-us_win32.appx

Yes, Symantec ATP’s sandboxing does detect any bulk download and suspect it as a malicious download and you receive a high amount of high-risk endpoints prompt from ATP dashboard.

Sandboxing detected : en-us_win32.appx was downloaded from officecdn.microsoft.com.edgesuite.net

By looking at the URL of this download is pretty legit is from Microsoft Windows Update. Windows Update especially with GPO and WSUS environment, which windows update is run based on a fixed schedule set.

Well, there are validation process you could run to confirm that it is not malicious;

  1. Go to the endpoint device (phisically) which ATP detected as high-risk
  2. Open up Windows Update Log file as Notepad
    • You can find it from C:\Windows\WindowsUpdate.log
  3. Next, compare Windows Update log file with ATP alert details, on the timing and patch file
  4. If it is right then it is a legit patch file from Microsoft
  5. Next to double confirm, use VirusTotal website to scan the patch file and the URL to make sure it is legit
  6. To triple confirm, raise a case to Symantec support for further assistance on this case.

Author: sabrinaksy

Just a little girl who love what she does best.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s