Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


recent msftsrvcs.vo.llnwi.net issues?

  • Please log in to reply
1 reply to this topic

#1 hrob02


  • Members
  • 1 posts
  • Gender:Male
  • Local time:01:08 AM

Posted 13 February 2015 - 04:59 AM

Hello bc.com!


Avast has been blocking ic.5ddaabcf.0a7048.1.msftsrvcs.vo.llnwi.net/c/msdownload/update/software/defu/2... for me lately, and upon searching for this (only got real results by searching for "msftsrvcs") I found only one discussion on it: https://live.paloaltonetworks.com/thread/12530 titled

"Massive spyware spike in URL that likely isn't malicious".


Don't know who those guys are, and I'm surprised not to see any threads on this yet on the big computer help/anti malware forums (at least there weren't when I searched).




user jim smith (at that link I mentioned) posted yesterday:


We too are seeing this traffic.

Appears related to checking for Microsoft updates (Server 2012 r2)


Software Version 6.1.2
Application version 486-2571 (02/12/15)
Threat Version 486-2571 (02/12/15)
Antivirus Version 1485-1960 (02/12/15)
URL Filtering version 4472


Excerpt from capture...

ethertype IPv4 (0x0800),
length 114: (tos 0x0, ttl 127, id 5002, offset 0, flags [none], proto: UDP (17), length: 100)
xxx.xxx.xxx.xxx.59649 >  40768+ [1au] A? ic.4171f066.0ea0a3.6.msftsrvcs.vo.llnwi.net. (72)



I don't have any slowdowns or any obvious issues myself, so I thought I'd ask if anyone here knows if that msftsrvcs.vo etcetc address is legitimate and the whole thing is just some false positive.



BC AdBot (Login to Remove)


#2 Aura


    Bleepin' Special Ops

  • Malware Response Team
  • 19,683 posts
  • Gender:Male
  • Local time:08:08 PM

Posted 13 February 2015 - 06:38 AM

It indeed looks like a server related to Windows Updates. It could be a new one that avast! isn't aware of yet (therefore, not white listed), or the updates it's trying to download looks suspicious so it's blocking them. It wouldn't be the first time that an Antivirus blocks Windows Updates URLs or packages from downloading. The thread you linked is only a day old, and all the other websites that came back in my Google Search were updated a few days (5-6) ago as well. Looks like it's brand new.


I would wait another 24 hours or 48 and see if the thread you linked gets more replies, or if we get new information on that URL.

Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users