Data Security: Cloud service data-pulls without any external services configured

Discussion in 'General Discussion' started by Tensington, Aug 27, 2017.

  1. Tensington

    Tensington

    Joined:
    Aug 27, 2017
    Messages:
    10
    Likes Received:
    0
    There's no way I've found to determine what application or service is causing the periodic green & white icon overlays on the Win 10 desktop which indicate that a file, or a folder's contents, have been cloned and transferred out.

    I thought I'd disabled SkyDrive or OneDrive or TwoDrive or whatever microsoft is calling their backup/spy service. I had installed Dropbox but pretty sure I successfully prevented it from autostarting any exe or service.

    If anyone has an app that, with one click, will deny all such data-theft executables and all such services from starting, I'll buy it.
     
    Tensington, Aug 27, 2017
    #1
    1. Advertisements

  2. Tensington

    Norton

    Joined:
    Feb 18, 2016
    Messages:
    1,802
    Likes Received:
    383
    You trust the Cloud. Check How updates are delivered you could be updating other PCs on the internet. I've pulled the plug on my DSL connection more than once because of extra terrestrial activity. I have never found out what data was being uploaded.
     
    Norton, Aug 27, 2017
    #2
    Tensington likes this.
    1. Advertisements

  3. Tensington

    Tensington

    Joined:
    Aug 27, 2017
    Messages:
    10
    Likes Received:
    0
    Thanks. The only autoupdating I do is for daily antivirus signatures, incoming to my one machine only. These green and white checkmarks on my desktop are less frequent than that, and don't seem associated with any logged activity. I can see by looking at router logs for example that my Malwarebytes or ClamAV strings-update has been let in, without anything outgoing except the request for that. I don't keep a packet capture running but maybe I ought to do so. Just hoping someone has a simpler answer requiring no advanced analysis.

    I ought to mention I also have ZoneAlarm firewall software installed and I've gotten no alerts prior to one of these desktop checkmark attacks.
     
    Last edited: Aug 27, 2017
    Tensington, Aug 27, 2017
    #3
  4. Tensington

    Tensington

    Joined:
    Aug 27, 2017
    Messages:
    10
    Likes Received:
    0
    Also, I didn't realize that there's a Security forum. Sorry. If an admin sees this & wants to move it from General Win10 Discussion that'd be fine.
     
    Tensington, Aug 27, 2017
    #4
  5. Tensington

    Norton

    Joined:
    Feb 18, 2016
    Messages:
    1,802
    Likes Received:
    383
    I firmly believe the outgoing activity is MS collecting machine data. I have most if not all apps disabled Cortana too. I can see the outgoing on my router, but failed to identify the the data thief.
     
    Norton, Aug 27, 2017
    #5
    Tensington likes this.
  6. Tensington

    Tensington

    Joined:
    Aug 27, 2017
    Messages:
    10
    Likes Received:
    0
    You're probably right. I see in router logs incoming connect attempts and udp requests from ms (40.*.*.* addresses) every several seconds all the time, and it could be that every random once-in-awhile their polling results in the SkyDrive pull acknowledgement (desktop icon overlays) -- even though there's no active SkyDrive or other cloud account active (and I'm told any successful upload from non-MS clouds is signalled in that same way).

    I just wish there was a way to know but that would require transparency. MS = opaque.
     
    Tensington, Aug 27, 2017
    #6
  7. Tensington

    Trouble Noob Whisperer Moderator

    Joined:
    Nov 19, 2013
    Messages:
    10,369
    Likes Received:
    1,540
    Location:
    Northwest Indiana U.S.A.
    Is this what you are talking about

    Capture.PNG

    IF so it is associated with One Drive and it's syncing local data with your cloud account storage.
    You can simply right click the One Drive icon in the system tray and choose "Settings" and under the "Account" tab use the "Choose folders" button to adjust what is or is not sync'd

    https://support.office.com/en-US/ar...OneDrive-f32a17ce-3336-40fe-9c38-6efb09f944b0
     
    Trouble, Aug 27, 2017
    #7
    Norton likes this.
  8. Tensington

    Tensington

    Joined:
    Aug 27, 2017
    Messages:
    10
    Likes Received:
    0
    Sorry if I was unclear that I'd been through all that and subsequently discovered 1) that Windows 10 does that when other, non-OneDrive cloud sync/backup data storage systems (which use some MS API, I guess?) run, as well; and 2) it was still happening even after repeatedly taking all measures to disable One Drive entirely, which your copypasted instructions would not achieve. And I never did set up an Account with One Drive at all, as you suggest.

    Was I in fact unclear to you?

    People ought to know what I'm talking about if they ever look at their desktops; this clearly must happen all the time. People are just used to it?
     
    Tensington, Aug 27, 2017
    #8
  9. Tensington

    Trouble Noob Whisperer Moderator

    Joined:
    Nov 19, 2013
    Messages:
    10,369
    Likes Received:
    1,540
    Location:
    Northwest Indiana U.S.A.
    Yep
    Nope
    Nope
    Nope

    Sorry I wasted your time with my reply.
    AND
    I still don't know what you are talking about because you apparently can't or won't capture an image of what you are seeing
    AND
    It's probably worth mentioning (or not) that various backup programs do something similar
     
    Trouble, Aug 27, 2017
    #9
  10. Tensington

    Tensington

    Joined:
    Aug 27, 2017
    Messages:
    10
    Likes Received:
    0
    Hi, yes I thought that it was worth mentioning since, as I wrote, I've been told that cloud-backup software other than Win10's OneDrive can alert the user that it has already taken her data, by the same icon-overlay system you've taken the time to visualize, very well, thanks - whether or not the user even has a cloud account, whether or not she has enabled it; and perhaps - I still want very much to know if this is the case - whether or not the software has actually taken any data anywhere. That's why I thought it important in fact to mention, so I did.

    My hope, my question, is that there might? be some way to explicitly disable it all: To tell Windows 10: "I do not wish to have my data enclouded, nor copied and pulled from my machine to any other; I wish to be informed if any such attempt is made in any way, by any service, process or application; and I wish to disable any and all services that advise me that my desktop has been copied to some cloud if indeed it has not been."

    So, where else might I look, who might an authority be for Windows 10 data-security (again, I realize I posted this to the wrong forum, I'm sorry for that, and I'm sorry for being strident and, if it's the case that I've been oversplainy, sorry for that, too). I'm guessing I could bring the issue to someone like Schneier or another security-specialist journalist; or I could try joining TechNet and finding the correct sub there, or on Reddit or somechan.

    I'm still hopeful that someone here can point me to a coherent solution. I've had good luck with other problems here, eventually, going back to SevenForums. If I can scour multiple sources and find a solution, I shall perhaps gain some Inner Peace.

    It's frustrating because to me, this is one of the most glaring, abominable vexations of Windows 10.

    Thanks very much, again!
     
    Last edited: Aug 27, 2017
    Tensington, Aug 27, 2017
    #10
  11. Tensington

    BigFeet

    Joined:
    Oct 2, 2014
    Messages:
    751
    Likes Received:
    124
    Location:
    Syracuse
    Absolutely no idea what you are talking about. If you would screen cap whatever "check mark" you are talking about, it may help get you answers. If you join technet or reddit, they are going to ask the same. They are also going to ask for more detail.

    I have nothing syncing to the cloud. Yes, even though I've blocked telemetry, there are still packets going up to microsoft servers. Good luck permanently disabling those.
     
    BigFeet, Aug 27, 2017
    #11
    Norton and Trouble like this.
  12. Tensington

    Tensington

    Joined:
    Aug 27, 2017
    Messages:
    10
    Likes Received:
    0
    Although I've never created an account for it I've removed the Microsoft Partners store version of Dropbox which came preinstalled. I suspect that may have been acting maliciously (whether or not it has tried to pull data from me). If I get no further alerts (via the pictured desktop icon overlays) in the next couple weeks, I'm going to presume it as the culprit and I intend to let everyone know, and I mean everyone.

    Meanwhile if there are any suggestions in direct response to my already-stated request for info, please feel very free to share.

    You guys are great! Thanks.
     
    Tensington, Aug 27, 2017
    #12
  13. Tensington

    Tensington

    Joined:
    Aug 27, 2017
    Messages:
    10
    Likes Received:
    0
    I'm not talking about data packets to MS in general, only the evidently-running backup I never installed or configured as evidenced specifically by the icon-overlying routine that I spoke about in exhaustive and exhausting detail. We'll see if removing the bundled Dropbox ends that. Thanks.
     
    Tensington, Aug 27, 2017
    #13
  14. Tensington

    Norton

    Joined:
    Feb 18, 2016
    Messages:
    1,802
    Likes Received:
    383
    Norton and Zone Alarm perform on-line backups. Norton will flag your desktop informing that a recent backup was successful. Do you use Zone Alarm on-line backup?
    If Yes! It's something worth investigating further. I'm not a fan of either programs.
     
    Norton, Aug 27, 2017
    #14
    Trouble likes this.
  15. Tensington

    Tensington

    Joined:
    Aug 27, 2017
    Messages:
    10
    Likes Received:
    0
    Hi, no, I have the free version of ZoneAlarm that doesn't offer backup, and no Norton/Symantec products. A week after uninstalling the MS-bundled Win10 version of Dropbox, it also is still happening. Now, I am suspecting an installed-but-inactive (I thought) backup application that came bundled with my Seagate portable 1T ssd drive. And this is weird: I have had the opportunity to take a capture now and, just as I did so, the icon overlays changed from the checkmark image posted by @Trouble to the one which Windows uses to indicate a workgroup share I think?

    [​IMG]
    (I didn't in fact share anything. And a few moments later the overlays all disappeared.)

    Anyhow a moment before I was able to get this capture, the overlays did look as Trouble showed and I previously described. And I still believe it's an indication that a service or process or app secretly tried, successfully or not, to transfer the associated data off of my desktop. If readers think that makes me a candidate for some kind of shiny metallic hat, fine. Meanwhile if anyone knows of a catch-all toggle in Windows to disallow any such activity as I suspect, I will reward you with a grateful interaction of some sort.
     
    Tensington, Aug 31, 2017
    #15
  16. Tensington

    Trouble Noob Whisperer Moderator

    Joined:
    Nov 19, 2013
    Messages:
    10,369
    Likes Received:
    1,540
    Location:
    Northwest Indiana U.S.A.
    IF you are comfortable having a peek at the registry...... have a look at the following key
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers

    IF exists, you might see something there that might give a clue as to what might be producing it.

    Capture.PNG
     
    Trouble, Aug 31, 2017
    #16
    Norton likes this.
  17. Tensington

    Tensington

    Joined:
    Aug 27, 2017
    Messages:
    10
    Likes Received:
    0
    Thanks. That confirms that SkyDrivePro1 (ErrorConflict), SkyDrivePro2 (SynchInProgress), and SkyDrivePro3 (InSync) represented by three keys I see, are configured to use icon overlays to identify a process. I knew that to be the case. Does the fact that my desktop icons all get modified by the library descriptors in those keys' data mean that SkyDrive, although disabled, has run or that it has attempted to run? That speaks more to my lingering question: How to know and how to ensure that it does not run, and nor does any other similar program run - whether MS or MS Partner or other - without my permission. It seems completely crazy to me that Windows doesn't allow me to know; it's so fundamental to my data security. This is Windows 10 Pro. I might expect several things to run without users' knowledge or explicit permission (although not without Administrator's) in an amateur, Home, School version.
     
    Tensington, Aug 31, 2017
    #17
  18. Tensington

    Norton

    Joined:
    Feb 18, 2016
    Messages:
    1,802
    Likes Received:
    383
    Have you checked in task manager if the above unwanted programs are still enabled?
    It's possible that the programs by default, including Seagate portable, have scheduled triggers set by default to perform backup events and the events are still triggering daily, weekly, monthly until they are disabled.
     
    Norton, Aug 31, 2017
    #18
    Trouble likes this.
  19. Tensington

    Trouble Noob Whisperer Moderator

    Joined:
    Nov 19, 2013
    Messages:
    10,369
    Likes Received:
    1,540
    Location:
    Northwest Indiana U.S.A.
    It's been a while since Microsoft referenced "SkyDrive" as they were forced to change the name quite some time ago to "OneDrive", so maybe this was an upgrade holdover from an earlier version of Windows.
    I wasn't even aware that they offered a "Pro" version. Is this or has it been a business / commercial computer rather than a consumer model as branded by the manufacturer
    I see that SkyDrive Pro has been renamed OneDrive for Business
    https://blogs.office.com/en-us/2014...o-are-now-onedrive-and-onedrive-for-business/
     
    Trouble, Aug 31, 2017
    #19
  20. Tensington

    Trouble Noob Whisperer Moderator

    Joined:
    Nov 19, 2013
    Messages:
    10,369
    Likes Received:
    1,540
    Location:
    Northwest Indiana U.S.A.
    Definitely worth looking at task scheduler to see what might be there.
     
    Trouble, Aug 31, 2017
    #20
    1. Advertisements

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.
Similar Threads
  1. ofir
    Replies:
    0
    Views:
    3,588
  2. James R.
    Replies:
    3
    Views:
    2,662
    Trouble
    Sep 8, 2015
  3. wondermuse
    Replies:
    2
    Views:
    808
    wondermuse
    Apr 28, 2016
  4. Norton
    Replies:
    8
    Views:
    721
    Norton
    Aug 3, 2016
  5. Chris333

    Update security without updating OS?

    Chris333, Jan 21, 2017, in forum: Security
    Replies:
    13
    Views:
    714
    Chris333
    Jan 22, 2017
  6. MyNameIsWes

    SOLVED Service Host: Local Service (Network Restricted) High CPU usage?

    MyNameIsWes, Jan 28, 2017, in forum: Windows 10 Support
    Replies:
    4
    Views:
    1,389
    Grizzly
    Feb 12, 2017
  7. SlyBytes
    Replies:
    9
    Views:
    944
    SlyBytes
    May 18, 2017
  8. Norton

    SOLVED Windows 10 Forum Configured Wrong?

    Norton, May 23, 2017, in forum: General Discussion
    Replies:
    11
    Views:
    305
    Wolfie
    May 24, 2017
Loading...