Endpoint Protection

 View Only

  • 1.  Is r20swj13mr.microsoft.com legitimate?

    Posted Oct 28, 2016 07:18 PM

    We recently noticed intermittent HTTPS traffic over port 443 from Internet Explorer 11 to the URL r20swj13mr.microsoft.com.  We've since run full AV scans that did not detect any risks.   

    Does anyone know if this is a legitimate site?   It uses the Microsoft domain but looks odd.  We've researched the site but are unable to find anything definitive.  Is the site associated with any viruses or malware?

    We'll apologise in advance if we've posted to the wrong forum.

    Thanks,

    Wally

     



  • 2.  RE: Is r20swj13mr.microsoft.com legitimate?
    Best Answer

    Posted Oct 28, 2016 08:07 PM

    It's a microsoft domain. Everything I've checked shows it to be legit



  • 3.  RE: Is r20swj13mr.microsoft.com legitimate?
    Best Answer

    Posted Oct 29, 2016 03:31 PM

    Thanks Brian. We noticed that it appeared the first time that Internet Explorer was executed after putting on the October, 2016 Security Only maintenance.  It may have always been there - it's just one of those things that popped out when we were testing.  We haven't seen it since.  Could be some Windows telemetry dialing home.  

    We've researched also.  Seems legit to us too, but no one seems to know what it is or "why"? 

    We'll give you the solution with the caveat "buyer beware".   We're not attesting that it is or is not legitimate given the lack of information available to us at this time. 



  • 4.  RE: Is r20swj13mr.microsoft.com legitimate?
    Best Answer

    Posted Oct 31, 2016 06:38 PM

    Update - looks like the traffic is related to either CEIP or Internet Explorer automatically checking for updates.   Both can be managed by GPO.

    Windows - Computer Configuration > Administrative Templates > System > Internet Communications Management > Internet Communication Settings

    Internet Explorer - Computer Configuration > Administrative Templates > Windows Components > Internet Explorer

     

    Still don't know what r20swj13mr.microsoft.com is used for, but it appears that it can be managed/turned off.



  • 5.  RE: Is r20swj13mr.microsoft.com legitimate?

    Posted Nov 17, 2016 06:00 PM

    Disregard the comments about turning it off with GPO.   We're still seeing it from time to time.



  • 6.  RE: Is r20swj13mr.microsoft.com legitimate?

    Posted Nov 18, 2016 04:52 PM

    The traffic to r20swj13mr.microsoft.com appears to only occur the first time that Internet Explorer 11 is opened after the monthly IE Microsoft patch(es) is/are applied.  That seems to be the only time we see it and then not every time.

    We see traffic over TCP port 443 to r20swj13mr.microsoft.com twice upon opening IE.  One session for the 32-bit instance and one session for the 64-bit instance.

    It may have always done this - maybe we are just noticing it. 

    It would be interesting to know what  r20swj13mr.microsoft.com is used for.

    I guess that we can always block it at the firewall or hosts file.