Symantec ATP 4.x: High risk on Windows update en-us_win32.appx

Yes, Symantec ATP’s sandboxing does detect any bulk download and suspect it as a malicious download and you receive a high amount of high-risk endpoints prompt from ATP dashboard.

Sandboxing detected : en-us_win32.appx was downloaded from

By looking at the URL of this download is pretty legit is from Microsoft Windows Update. Windows Update especially with GPO and WSUS environment, which windows update is run based on a fixed schedule set.

Well, there are validation process you could run to confirm that it is not malicious;

  1. Go to the endpoint device (phisically) which ATP detected as high-risk
  2. Open up Windows Update Log file as Notepad
    • You can find it from C:\Windows\WindowsUpdate.log
  3. Next, compare Windows Update log file with ATP alert details, on the timing and patch file
  4. If it is right then it is a legit patch file from Microsoft
  5. Next to double confirm, use VirusTotal website to scan the patch file and the URL to make sure it is legit
  6. To triple confirm, raise a case to Symantec support for further assistance on this case.

Author: sabrinaksy

Just an ordinary lady who love what she does best.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: