File reputation warning

For Windows Update kb890830-x64-v.5.26
downloaded by c:\Windows\Sysem32\svchost.exe
from IP 80 17 2 198
seemingly an IP in my own ISP’s network.

https://forum.avast.com/index.php?action=dlattach;topic=173679.0;attach=167428

BTW, copy and paste text from Avast alert windows would help!

https://forum.avast.com/index.php?action=dlattach;topic=173679.0;attach=167430

too small to read …

I’ve updated my post with a second screenshot. Hope it helps!

It looks as though your ISP is adding a redirect to windows updates and this does alert Avast as it expect a direct line

OK, but why? Is it sort of a proxy?
I followed these instructions to check whether I am behind an ISP proxy, but looks like I am not, not even a transparent one.
https://thevpn.guru/transparent-proxy-detect-expose-explain/

According to VirusTotal the file
hXXp://80.17.2.198/data/8006b0f02907687d/au.v4.download.windowsupdate.com/d/msdownload/update/software/uprl/2015/07/windows-kb890830-x64-v.5.26_9b9723c065acf885288e5f085994de2e1f75157a.exe

is clean
https://www.virustotal.com/en/url/a97d99b7637eb6ecd523e4278e66163951fe87cd9c31371ed1b84001db8108f8/analysis/1436969579/

P.s. I don’t know if it matters, but I am using OpenDNS, not my ISP’s DNS.

In other words, should I trust the connection or abort it?

Is your ISP Telecom Italia S.p.a ? Yes you can trust the download

OK. Thanks!

Anyways, I don’t like my ISP hijacking my windowsupdate downloads.

I started getting similar warnings a few days ago — that would be late August of 2015…

I am going to provide some information and comments. However, I want to first say that, in my view, AVAST SHOULD RESPOND and let us know exactly what is going on.

  1. I abort the download in every case.

  2. As long as the notices remain, my browser stalls and will not access the internet. However, my Juno 4 stand-alone email still works. Once I have aborted all attempted downloads, the browser function resumes.

  3. The notices come in groups of 6 (once, I got a group of 7) with the same filename and same “origin”. A group comes about 2 or 3 times daily.

The finename is different between groups or batches. The “origin” also varies, but by just one letter: for example:

http://download.windowsupdate.com/c/msdownload/update/software/defu/2015/

and

http://download.windowsupdate.com/d/msdownload/update/software/defu/2015/

My system is set to never download anything without my knowledge. Therefore, anything that IS downloaded to my system without my knowledge is malicious. In the present case, there is no question that these attempted downloads are malicious.

I have more detailed notes of my experience with that, but I think the above contains all the necessary information.

PLEASE — AVAST — look into this and let us know what is going on.

Thanks.

that seems to be windows update files or windows 10 files if you have said yes to the upgrade

This reply seems to have been lost so I’m submitting it again. Sorry if there is a duplicate:

“that seems to be windows update files or windows 10 files if you have said yes to the upgrade”

I see no evidence that this is anything but a guess. I have seen similar attempts at an explanation many times in various forums. I regard it as a poor guess because these files appear without any explanation or request for permission from the point of origin and are not digitally signed.

https://forum.avast.com/index.php?topic=175953.0

@Infti, did you say Yes to getting Windows 10?

http://d.ibtimes.co.uk/en/full/1441535/windows-10-update-prompt.png