Jump to content


Recommended Posts

Since last week I've had a lot of endpoints constantly reporting a detection of PUA MSIL/Microsoft.Bing.D through a URL of hxxp://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/da017dea-34f8-4a9f-a3fd-27f1b9538600?P1=1713064064&P2=404&P3=2&P4=fulaPo4QR9S/WS3SD5GtKwD6I7rCD0ekRnphxx9HyVg4UoYv1w1QkB18QTqB+JSBXCC/d06MsUStOSDj6IWKVA== or similar

I'm wary of creating an exclusion and not having this detected so is there any way of resolving this? Is there any dialogue with Microsoft as I could see there was with the .A detection?

Link to comment
Share on other sites

  • Administrators

This probably happens because another Bing application was installed in the past (e.g. Bing Wallpaper). Do you remember allowing installation of such application? Isn't there a way to avoid downloading the above file? When is the detection triggered?

Link to comment
Share on other sites

There aren't any Bing applications or similar on the PCs as far as I can tell. The detection is triggered when the endpoint accesses that URL so I assume it is a Windows app updating, most likelt Edge


Potentially unwanted application MSIL/Microsoft.Bing.D was detected on computer cctv1

Detection type: Potentially unwanted application
Detection name: MSIL/Microsoft.Bing.D
Computer name: 
Computer static group hierarchy: /All/Endpoint Security
Logged user:
Time of occurrence: 4/9/24, 9:10:17 AM UTC
Scanner: HTTP filter
Action performed: Connection terminated

Link to comment
Share on other sites

  • Administrators

Edge may download updates with a Bing application included if a Bing application was installed in the past. You can either create a detection exclusion or contact Microsoft to find out why they include the Bing application in Edge updates.

Link to comment
Share on other sites

Microsoft has started changing the default search engine in Chromium browsers to Bing. This also means Chrome. This is what Eset is detecting as PUA activity and rightfully so.

Link to comment
Share on other sites

10 minutes ago, danjacoyle said:

From the log files on one of the endpoints

Same detection I received;


Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
4/2/2024 8:37:51 AM;Real-time file system protection;file;C:\Users\xxxxxx\AppData\Local\Temp\DODD22.tmp;a variant of MSIL/Microsoft.Bing.D potentially unwanted application;deleted;NT AUTHORITY\SYSTEM;Event occurred on a file modified by the application: C:\Windows\System32\svchost.exe (445F5F38365AF88EC29B357F4696F0E3EE50A1D8).;1E908ED6CF873C77790C7EE03CE1673BF2850B92;


Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...