Windows Delivery Optimization creating Suspicion of identity theft based on abnormal behavior alerts RRS feed

  • Question

  • Hi,

    We installed ATA about a month and a half ago, and we recently began to recieve numerous "Suspicion of identity theft based on abnormal behavior" alerts that show computers with Windows 10 installed accessing other computers in their LAN via SMB(CIFS).

    After investiagating this and finding nothing of interest, I searched online and found an article that suggests that these accesses are caused by having Windows Delivery Optimization enabled on your network(It is enabled on our network).

    The article suggests that the peer discovery method used in Delivery Optimization might use port 445.

    Can you confirm this?

    Tuesday, June 18, 2019 10:17 AM

All replies

  • No, we checked this option with the Delivery Optimization team, but they stated that they don't use CIFS, so it can't be it.
    Tuesday, June 18, 2019 8:35 PM
  • First of all, thank you for your quick response!

    Secondly, do you have any idea what might be causing these connections to other computers in subnet?

    As I already wrote, we have multiple alerts that show several Windows 10 stations accessing computers in thier subnet (to HOST and then to CIFS or CIFS only)  at the same time , and this is classified as access to abnormal resources.

    Wednesday, June 19, 2019 11:44 AM
  • No idea.

    but if it's ongoing, you can try to catch a network trace of it in action, that might help...

    Which ATA version is is? Did you upgrade to 1.9 Update 2 already?

    If not, I advise to do so soon, we fixed some abnormal accuracy issues in this update that MIGHT help.

    Wednesday, June 19, 2019 12:23 PM
  • Hi,

    We installed the update and haven't gotten anymore of these events since,  so I guess it worked :)

    Thanks for your help!

    Monday, June 24, 2019 5:00 PM