William Hudson 0 Posted February 4, 2020 Posted February 4, 2020 I have suddenly started getting messages from NOD32 regarding blocked access to a Microsoft URL mrodevicemgr.officeapps.live.com Does anyone know if this is really a phishing problem? Does blocking it upset MSOffice? The URL is listed by Microsoft here @ https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges The full message I'm getting (from the log, so not pretty) is: Time;URL;Status;Application;User;IP address;SHA1 04/02/2020 10:01:06;https://mrodevicemgr.officeapps.live.com;Blocked by Anti-Phishing blacklist;C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe;ORWELL\willi;52.109.76.40;24F5E9F445912D05C05A45AB17E11FBDFAAF2FBC
Administrators Marcos 5,468 Posted February 4, 2020 Administrators Posted February 4, 2020 It was a 3rd party FP, it's fixed now and we have also whitelisted the live.com domain to prevent similar FPs in the future.
William Hudson 0 Posted February 4, 2020 Author Posted February 4, 2020 Great, thanks for your speedy handling of this.
carl.henry 0 Posted February 7, 2020 Posted February 7, 2020 We are getting this issue on multiple endpoints on Endpoint Security, 83 occurrences on my PC alone in 36 hours. Paste from the log below Time;Account;Group;URL;Matching URL;Category;Action performed 07/02/2020 11:50:21;NT AUTHORITY\SYSTEM;NT AUTHORITY\SYSTEM;https://mrodevicemgr.officeapps.live.com;mrodevicemgr.officeapps.live.com;Malware Distribution Point;Blocked by policy
Administrators Marcos 5,468 Posted February 7, 2020 Administrators Posted February 7, 2020 The hostname has been reclassified. It may take several hours for the change to take effect.
BigKevRobbo 0 Posted February 9, 2020 Posted February 9, 2020 I'm still getting multiple block notifications on the grounds of Parental Control for this URL on full blown ESET. Is this correct or is this going to be fixed???? ESET is fully up to date............
Administrators Marcos 5,468 Posted February 9, 2020 Administrators Posted February 9, 2020 It was not a problem of Parental Control. The IP range is already whitelisted. Please post the appropriate records from logs.
Bugra Ceylan 0 Posted February 10, 2020 Posted February 10, 2020 We're getting same warning since yesterday: More details Hash 0000000000000000000000000000000071374470 Uniform Resource Identifier (URI) https://mrodevicemgr.officeapps.live.com Process name C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\16.0.12430.20184\OfficeClickToRun.exe Event An attempt to connect to URL Rule Blocked by Web control Scanner HTTP filter Target address 52.109.76.40
MartijnH 0 Posted February 10, 2020 Posted February 10, 2020 I have the same problem, sometimes more times a day, what do i have to do about it?
Administrators Marcos 5,468 Posted February 10, 2020 Administrators Posted February 10, 2020 Please provide ELC logs from such machine. Neither the hostname nor IP address appears to be blocked. Aryeh Goretsky 1
Bugra Ceylan 0 Posted February 10, 2020 Posted February 10, 2020 27 minutes ago, Marcos said: Please provide ESET Log Collector logs from such machine. Neither the hostname nor IP address appears to be blocked. Where can I upload my logs securely?
Administrators Marcos 5,468 Posted February 10, 2020 Administrators Posted February 10, 2020 You can upload them here. Attachments can be accessed only by ESET staff. Alternatively you can upload them to OneDrive, Dropbox, etc. and drop me a personal message with a download link.
Bugra Ceylan 0 Posted February 10, 2020 Posted February 10, 2020 Thanks Marcos, I just uploaded my logs here. ees_logs.zip
Administrators Marcos 5,468 Posted February 10, 2020 Administrators Posted February 10, 2020 Thank you. The address is categorized as malicious by Web Control. We have reported miscategorization to the provider of the url categorization database. In the mean time, creating a Web Control permissive rule and moving it on top of other Web Control rules should do the trick: Aryeh Goretsky 1
Bugra Ceylan 0 Posted February 10, 2020 Posted February 10, 2020 Thanks for the info, I deployed workaround rule as you described, can you provide an update when category is fixed?
Administrators Marcos 5,468 Posted February 10, 2020 Administrators Posted February 10, 2020 12 minutes ago, Bugra Ceylan said: Thanks for the info, I deployed workaround rule as you described, can you provide an update when category is fixed? It seems the url categorization provider has already fixed it. Now it may take up to 24 hours for the database to get updated on our servers.
pwatts2 0 Posted February 11, 2020 Posted February 11, 2020 I am getting the same kind of repeat blocking with the message below. I think it might be blocking some of my files from updating to the Office 365 cloud.This happened today, several times. Time;URL;Status;Application;User;IP address;SHA1 11/02/2020 18:21:01;https://mrodevicemgr.officeapps.live.com;Blocked by Parental control;C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe;DESKTOP-4MPP8AU\Windows;52.109.76.40;B772F61DD32164D43333AE54E17A3C88184E733B Would appreciate some clarity about this
Administrators Marcos 5,468 Posted February 20, 2020 Administrators Posted February 20, 2020 The date in your log is from Feb 11. Does the problem persist?
Recommended Posts