Jump to content

Recommended Posts

Posted

I have suddenly started getting messages from NOD32 regarding blocked access to a Microsoft URL  mrodevicemgr.officeapps.live.com

Does anyone know if this is really a phishing problem? Does blocking it upset MSOffice? 

The URL is listed by Microsoft here @ https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges

The full message I'm getting (from the log, so not pretty) is:

Time;URL;Status;Application;User;IP address;SHA1
04/02/2020 10:01:06;https://mrodevicemgr.officeapps.live.com;Blocked by Anti-Phishing blacklist;C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe;ORWELL\willi;52.109.76.40;24F5E9F445912D05C05A45AB17E11FBDFAAF2FBC
 

 

  • Administrators
Posted

It was a 3rd party FP, it's fixed now and we have also whitelisted the live.com domain to prevent similar FPs in the future.

Posted

We are getting this issue on multiple endpoints on Endpoint Security, 83 occurrences on my PC alone in 36 hours. Paste from the log below

Time;Account;Group;URL;Matching URL;Category;Action performed
07/02/2020 11:50:21;NT AUTHORITY\SYSTEM;NT AUTHORITY\SYSTEM;https://mrodevicemgr.officeapps.live.com;mrodevicemgr.officeapps.live.com;Malware Distribution Point;Blocked by policy
 

 

  • Administrators
Posted

The hostname has been reclassified. It may take several hours for the change to take effect.

Posted

I'm still getting multiple block notifications on the grounds of Parental Control for this URL on full blown ESET.

Is this correct or is this going to be fixed????

ESET is fully up to date............

  • Administrators
Posted

It was not a problem of Parental Control. The IP range is already whitelisted. Please post the appropriate records from logs.

Posted

We're getting same warning since yesterday:

 

More details
Hash
0000000000000000000000000000000071374470
Uniform Resource Identifier (URI)
https://mrodevicemgr.officeapps.live.com
Process name
C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\16.0.12430.20184\OfficeClickToRun.exe
Event
An attempt to connect to URL
Rule
Blocked by Web control
Scanner
HTTP filter
Target address
52.109.76.40
Posted

I have the same problem, sometimes more times a day, what do i have to do about it?

  • Administrators
Posted

Please provide ELC logs from such machine. Neither the hostname nor IP address appears to be blocked.

Posted
27 minutes ago, Marcos said:

Please provide ESET Log Collector logs from such machine. Neither the hostname nor IP address appears to be blocked.

Where can I upload my logs securely? 

  • Administrators
Posted

You can upload them here. Attachments can be accessed only by ESET staff. Alternatively you can upload them to OneDrive, Dropbox, etc. and drop me a personal message with a download link.

  • Administrators
Posted

Thank you. The address is categorized as malicious by Web Control. We have reported miscategorization to the provider of the url categorization database. In the mean time, creating a Web Control permissive rule and moving it on top of other Web Control rules should do the trick:

image.png

Posted

Thanks for the info, I deployed workaround rule as you described, can you provide an update when category is fixed?

  • Administrators
Posted
12 minutes ago, Bugra Ceylan said:

Thanks for the info, I deployed workaround rule as you described, can you provide an update when category is fixed?

It seems the url categorization provider has already fixed it. Now it may take up to 24 hours for the database to get updated on our servers.

Posted

I am getting the same kind of repeat blocking with the message below. I think it might be blocking some of my files from updating to the Office 365 cloud.This happened today, several times.

Time;URL;Status;Application;User;IP address;SHA1
11/02/2020 18:21:01;https://mrodevicemgr.officeapps.live.com;Blocked by Parental control;C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe;DESKTOP-4MPP8AU\Windows;52.109.76.40;B772F61DD32164D43333AE54E17A3C88184E733B

 

Would appreciate some clarity about this

  • 2 weeks later...
  • Administrators
Posted

The date in your log is from Feb 11. Does the problem persist?

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...