Many false positives "Suspicion of identity theft based on abnormal behavior" because of new Windows Updates feature RRS feed

  • Question

  • Getting a bunch of false positives of "identity theft" based upon abnormal workstations that users are accessing.  Why do we know they are false positives?  The source workstation in every alert was doing Windows Updates right when the alert hit.  The alerts say the workstation usually accesses 30-40 other workstations over CIFS.

    So...this is actually normal behavior for Windows Updates with this new feature: "Windows Update Delivery Optimization".  The feature is available on Windows 10 only (which the OS in all of our alerts).  Check out this for more info on this feature:  https://privacy.microsoft.com/en-us/windows-10-windows-update-delivery-optimization

    The Windows Update feature makes the workstation reach out to other workstations for its updates instead of going over the internet.  Thats the problem.  Thats whats generating the list of abnormal workstations accessed.

    Any ideas on how to "teach" ATA that this is normal?

    Friday, April 21, 2017 6:47 PM

All replies

  • I think the best thing to do would be to open an ATA support case.  If  this normal behavior with Delivery Optimization for Windows Updates is causing the alerts, they should be able to fix this for everybody.

    Nash Pherson, Senior Systems Consultant
    Microsoft MVP in Enterprise Mobility (ConfigMgr/Intune)
    Now Micro - MyITForum Blog Posts - Now Micro Blog Posts
    If you found a bug or want the product to work differently, share your feedback.
    <-- If this post was helpful, please click the up arrow or propose as answer.

    Friday, April 21, 2017 9:49 PM
  • We're seeing the same here. 

    There are actually a few concerns for us with Delivery Optimization (beyond false positives from ATA and Netflow analysis)

    1) The peer assignment algorithm seems to use a Windows cloud service to determine who your "neighbors" are.   I'm still trying to determine how much data this service has about our endpoints.


    2) There are also performance implications for some network topologies:


    One other tweak to consider:  Instead of using the default “LAN” download mode, you may want to instead use the “Group” download mode.  The “LAN” mode identifies PCs that are on the same LAN by looking at their external IP address – all PCs going through the same internet IP (through a proxy server or router) are considered to be on the same “LAN.”  But if you’re a typical large enterprise, your “LAN” might be made up of a bunch of different LAN segments with WAN connections between them, with all internet traffic funneled back to a central location that has a connection to the internet.

    Monday, April 23, 2018 3:46 PM