danjacoyle 0 Posted April 8, 2024 Posted April 8, 2024 Since last week I've had a lot of endpoints constantly reporting a detection of PUA MSIL/Microsoft.Bing.D through a URL of hxxp://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/da017dea-34f8-4a9f-a3fd-27f1b9538600?P1=1713064064&P2=404&P3=2&P4=fulaPo4QR9S/WS3SD5GtKwD6I7rCD0ekRnphxx9HyVg4UoYv1w1QkB18QTqB+JSBXCC/d06MsUStOSDj6IWKVA== or similar I'm wary of creating an exclusion and not having this detected so is there any way of resolving this? Is there any dialogue with Microsoft as I could see there was with the .A detection?
Administrators Marcos 5,733 Posted April 8, 2024 Administrators Posted April 8, 2024 This probably happens because another Bing application was installed in the past (e.g. Bing Wallpaper). Do you remember allowing installation of such application? Isn't there a way to avoid downloading the above file? When is the detection triggered?
danjacoyle 0 Posted April 9, 2024 Author Posted April 9, 2024 There aren't any Bing applications or similar on the PCs as far as I can tell. The detection is triggered when the endpoint accesses that URL so I assume it is a Windows app updating, most likelt Edge NEW NOTIFICATION Potentially unwanted application MSIL/Microsoft.Bing.D was detected on computer cctv1 Detection type: Potentially unwanted application Detection name: MSIL/Microsoft.Bing.D Computer name: Computer static group hierarchy: /All/Endpoint Security Logged user: Time of occurrence: 4/9/24, 9:10:17 AM UTC Scanner: HTTP filter Action performed: Connection terminated
Administrators Marcos 5,733 Posted April 9, 2024 Administrators Posted April 9, 2024 Edge may download updates with a Bing application included if a Bing application was installed in the past. You can either create a detection exclusion or contact Microsoft to find out why they include the Bing application in Edge updates.
itman 1,921 Posted April 9, 2024 Posted April 9, 2024 Microsoft has started changing the default search engine in Chromium browsers to Bing. This also means Chrome. This is what Eset is detecting as PUA activity and rightfully so.
danjacoyle 0 Posted April 9, 2024 Author Posted April 9, 2024 From the log files on one of the endpoints -
itman 1,921 Posted April 9, 2024 Posted April 9, 2024 10 minutes ago, danjacoyle said: From the log files on one of the endpoints Same detection I received; Quote Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here 4/2/2024 8:37:51 AM;Real-time file system protection;file;C:\Users\xxxxxx\AppData\Local\Temp\DODD22.tmp;a variant of MSIL/Microsoft.Bing.D potentially unwanted application;deleted;NT AUTHORITY\SYSTEM;Event occurred on a file modified by the application: C:\Windows\System32\svchost.exe (445F5F38365AF88EC29B357F4696F0E3EE50A1D8).;1E908ED6CF873C77790C7EE03CE1673BF2850B92;
Administrators Marcos 5,733 Posted April 9, 2024 Administrators Posted April 9, 2024 Most likely related to this: https://www.neowin.net/news/microsoft-is-once-again-harassing-chrome-users-with-malware-like-bing-ads/. Discussed also on Reddit: https://www.reddit.com/r/computerviruses/comments/18g8w8a/new_version_of_bgaupsell_adware/
Recommended Posts