Windows 10 inject "telemetry" packages in third-party software internet traffic?

[melek]

Hi.

 

First of all I want to say that I like Windows 10, but I categorically do not accept any kind of data leak in it. At first, I used to block the telemetry only tweaker O&O ShutUp 10. But later realized that was not enough, I totally blocked, by the firewall, all traffic from my computer, except the Firefox browser and torrent client qBittorrent. At last I got what I wanted. Any connection with the services Windows in Internet became impossible.

But a week ago, I began to notice in the firewall logs a browser and torrent client connected to the ip addresses that use the Windows service.

 

104.81.60.XX

2.22.52.XX

 

How is that even possible? Is Windows is so sneaky that it uses some kind of "Man-in-the-middle attack" where the role of the attacker performs the OS itself injects their packages in online traffic third-party applications? I do not know how such a block. After all, it may not be the only ip address with which it is linked in this way.

[Sylence]

IP Addresses seem to belong to Akamai technologies in Poland which seems normal as the nearest CDN to your location.

Internet explorer add-ones use Akamai technologies too. try blocking the explorer.exe from Internet see if it helps.

[steven36]

What  firewall are you using sounds like you're having loopback issues ? And yes its possible  i seen some software do this but never have i had a problem with Microsoft doing this before. with my current setup I just block everything it calls out  and no loopback trough other programs.

[melek]

I use two firewall. One stand alone "Windows 10 Firewall Control" and built-in firewall Eset Smart Security 9.

 

This is my setup both firewalls:

 

DHCP                    UDP                      Direction "Both"             Port 67, 68             svchost.exe

DNS                      TCP and UDP       Direction "Outgoing"     Port 53                   svchost.exe

UPNP                    TCP and UDP       Direction "Outgoing"     Port 1900               svchost.exe

                                                                                                 239.255.255.250

qBittorrent          TCP and UDP       Direction "Both"                                            qbittorrent.exe

Firefox                 TCP and UDP       Direction "Outgoing"     Port 80, 443           firefox.exe

 

Everything else is completely blocked.

[DKT27]

If your torrent client is connecting to these IPs, it's possible that they are fake seeders / leechers. IP Blockers probably block these connections. Also it being a case, as mentioned above, someone is using their services to seed / leech torrents and such.

[straycat19]

You also need to keep in mind that all the telemetry is not always sent daily.  Some only connect weekly, or monthly, or quarterly, etc.  So you can never not stop watching for these connections if you want to catch them all.  Also updates are known to change or modify the connections to avoid blockers.  It is a never ending battle.

[melek]

These ip addresses attempting to connect any third party application that has access to the Internet. If the application is limited to connect to a specific ip it still tries to connect to the addresses that I have mentioned. Connections do not occur regularly. But the strangest thing that it can occur when you visit a site which is located on the Akamai server.

[BBs]

Both subnets 2.22.52.0/24 & 104.81.60.0/23 belong to Akamai: https://stat.ripe.net/2.22.52.1#tabId=at-a-glance

 

Akamai sells their CDN (Content delivery network) to anyone. It doesn't have to be something related to MS.

I even saw some Apple services going over the Akamai network in the past. 

 

Even you can host your stuff on their servers if you have enough money  They also sell other products, so it could be anything.

[melek]

I had a case when a just installed qBittorrent immediately at the first start сonnect to the server 104.81.60.80. At that in firewall logs to this 15 minutes ago svchost.exe try to connect to the same server. I do not believe in coincidences. Windows uses any network connection that would run their own packages. It injects them to the application traffic that is open access to the Internet. All traffic on the computer in any event passes through its service.

[knowledge-Spammer]

16 minutes ago, melek said:

I had a case when a just installed qBittorrent immediately at the first start сonnect to the server 104.81.60.80. At that in firewall logs to this 15 minutes ago svchost.exe try to connect to the same server. I do not believe in coincidences. Windows uses any network connection that would run their own packages. It injects them to the application traffic that is open access to the Internet. All traffic on the computer in any event passes through its service.

i have seen this befor  its not just qBittorrent  do this lots of programs do this its a pain 

 try with Spybot Anti-Beacon >mayhelp

[tiliarou]

It's normal to connect to the nearest CDN. You can choose to block these connection but you may loose speed and/or have a higher ping I think.

I'm also concerned on the benefits of using both win10 built-in firewall and eset, it's redundant, take ressources and it's pretty much useless to my knowledge. Eset is already well integrated through a driver on top of each network adapter so I don't see why the win10 firewall would do anything more. 

[melek]

10 hours ago, knowledge said:

i have seen this befor  its not just qBittorrent  do this lots of programs do this its a pain 

 try with Spybot Anti-Beacon >mayhelp

 

Thank you. I'll try. Although the concern is that the program last updated 9/11/2015.

 

I test the program. Does not matter firefox transmits connection with Akamai servers. Although I did not visited to websites that are hosted on those servers.

So far, the only solution is to lock a range of addresses firewall:

104.81.0.0-104.81.255.255

2.22.0.0-.2.22.255.255

96.17.0.0-96.17.255.255

 

5 hours ago, tiliarou said:

It's normal to connect to the nearest CDN. You can choose to block these connection but you may loose speed and/or have a higher ping I think.

I'm also concerned on the benefits of using both win10 built-in firewall and eset, it's redundant, take ressources and it's pretty much useless to my knowledge. Eset is already well integrated through a driver on top of each network adapter so I don't see why the win10 firewall would do anything more. 

Windows 10 Firewall Control:

 

http://www.sphinx-soft.com/Vista/order.html

Very good firewall. He warns that when any application wants access to the Internet. Perfectly complements the firewall ESET.