What anti-virus product or device is responsible for this activity?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
At $dayjob, we place a file (an .exe file) on our website and direct a
customer at an ivy-league new-england university to download the file.  
We put a link to the file in an email and send it to his university
account.

Our webserver logs indicate the following IP's made requests for the
.exe file from our server at the times given:

===================
At 11:37 am:

54.190.125.164    ec2-54-190-125-164.us-west-2.compute.amazonaws.com
148.251.79.98    static.98.79.251.148.clients.your-server.de
148.251.79.98    static.98.79.251.148.clients.your-server.de
54.190.239.12    ec2-54-190-239-12.us-west-2.compute.amazonaws.com

At 11:43 am:
        
a.b.c.d        Ivy-League University (we presume this is our customer)        
====================

We then create a duplicate of the .exe file, but change the extension to
.gif, and again send a link to the .gif to the customer via email.  We
then note the following hits to the .gif file:

====================
12:13 pm:
        
54.145.149.186    ec2-54-145-149-186.compute-1.amazonaws.com
148.251.79.151    static.151.79.251.148.clients.your-server.de
148.251.79.151    static.151.79.251.148.clients.your-server.de
54.188.241.212    ec2-54-188-241-212.us-west-2.compute.amazonaws.com
=====================

Because I've seen those IP's performing what I think are unauthorized
access to our website in the past, I have them blocked from being able
to download anything.  So their attempts to download the file in
question was denied.

Also, either the customer at the University didn't get the second email,
or didn't act on it (the logs don't show any attempt from an IP at the
University to download the .gif file).

We then perform a .zip compression on the gif file, and password protect
the file.  We send an email to the customer describing how to download
the .zip file but don't actually spell out the URL to the file in the
email.  

We don't see any attempt to download the .zip file.  Again we don't know
if the customer got this third email or not, but it appears that by not
including the exact url in the email the amazon and "your-server.de"
hosts were not made aware of the existance of this file (and hence made
no attempt to download it).

The next day we see the following  
        
=================
104.42.198.99    MSFT    15:58
104.42.198.99    MSFT    16:01
=================

That IP does not resolve to any host-name, but the IP is assigned to
Micro$haft.  The request was for the .exe file (and the request was
denied).

So to me it looks like an email scanning security product is running
either at the University or on the customer's PC, and this product is
scanning email messages looking for URL's and is performing a remote
access of the URL through a remote host(s), in this case machines
operated by amazon and "your-server.de" (Hetzner Online GmbH).

Does anyone know of such a security product or network security device
that utilizes distributed access to remote systems hosted by amazon or
hetzner?

Also, any ideas about the nature of the hit to the file from an MSFT IP?

Re: What anti-virus product or device is responsible for this activity?


Quoted text here. Click to load it

    It COULD be scanning for malware. I suggest trying an
extension that could not possibly contain malware, and if they attempt
to download that, it's just plain spying/datamining your private
stuff.
    WOW, that would be a surprise !!!
    []'s
--  
Don't be evil - Google 2004
We have a new policy  - Google 2012

Site Timeline