Yes, Symantec ATP’s sandboxing does detect any bulk download and suspect it as a malicious download and you receive a high amount of high-risk endpoints prompt from ATP dashboard.
Sandboxing detected : en-us_win32.appx was downloaded from officecdn.microsoft.com.edgesuite.net
By looking at the URL of this download is pretty legit is from Microsoft Windows Update. Windows Update especially with GPO and WSUS environment, which windows update is run based on a fixed schedule set.
Well, there are validation process you could run to confirm that it is not malicious;
- Go to the endpoint device (phisically) which ATP detected as high-risk
- Open up Windows Update Log file as Notepad
- You can find it from C:\Windows\WindowsUpdate.log
- Next, compare Windows Update log file with ATP alert details, on the timing and patch file
- If it is right then it is a legit patch file from Microsoft
- Next to double confirm, use VirusTotal website to scan the patch file and the URL to make sure it is legit
- To triple confirm, raise a case to Symantec support for further assistance on this case.
Sabrina Kay's Blog 