New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Windows telemetry servers #844

Open
DavidCWGA opened this Issue Nov 26, 2018 · 5 comments

Comments

Projects
None yet
3 participants
@DavidCWGA
Copy link

DavidCWGA commented Nov 26, 2018

The German federal government posted an analysis of Windows 10 telemetry:
https://www.ghacks.net/2018/11/23/german-federal-office-bsi-publishes-telemetry-analysis/

It included a list of known telemetry servers, which I am including in alphabetical order here:

alpha.telemetry.microsft.com
asimov-win.settings.data.microsoft.com.akadns.net
db5-eap.settings-win.data.microsoft.com.akadns.net
db5.settings-win.data.microsoft.com.akadns.net
db5.vortex.data.microsoft.com.akadns.net
eu.vortex-win.data.microsft.com
geo.settings-win.data.microsoft.com.akadns.net
geo.vortex.data.microsoft.com.akadns.net
oca.telemetry.microsft.com
settings-win.data.microsoft.com
us.vortex-win.data.microsft.com
v10-win.vortex.data.microsft.com.akadns.net
v10.vortex-win.data.microsft.com
vortex-win-sandbox.data.microsoft.com

This was an analysis of an older version of Windows 10 so this list is certainly not complete, nor up to date. (Some of these names no longer resolve.) The names seem to have been extracted from diagtrack.dll - perhaps someone with a more modern version of Windows 10 could compare.

Currently only one of these, settings-win.data.microsoft.com, is included in the blacklist.

Personally I think it's quite suspicious of Microsoft to use intentionally mis-spelled domain names, like "microsft". That's usually something that malware does.

Is there a canonical list of Windows 10 telemetry servers, and should it be included in the blacklist?

@DavidCWGA

This comment has been minimized.

Copy link

DavidCWGA commented Nov 26, 2018

Hacker News discusses the German report here: https://news.ycombinator.com/item?id=18527997

@StevenBlack

This comment has been minimized.

Copy link
Owner

StevenBlack commented Nov 26, 2018

Thanks @DavidCWGA. Interesting.

@StevenBlack

This comment has been minimized.

Copy link
Owner

StevenBlack commented Nov 26, 2018

I'm inclined to summarily block all those microsft.com (misspelled) domains, right now, on principle.

StevenBlack added a commit that referenced this issue Nov 26, 2018

@DavidCWGA

This comment has been minimized.

Copy link

DavidCWGA commented Nov 26, 2018

I took diagtrack.dll from a current Windows 10 install and ran it through "strings", but could not find any hostnames at all. If they're in there, they're encoded somehow.

@Atavic

This comment has been minimized.

Copy link

Atavic commented Nov 29, 2018

See Strings section here, BTW it is linked to other resources listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment