Bitdefender keeps blocking a suspicious connection every time I start Edge

zooburner · Nov 10, 2023

I keep getting this from bitdefender...

Feature:Online Threat Prevention
msedge.exe attempted to establish a connection relying on an expired certificate to bzib.nelreports.net. We blocked the connection to keep your data safe since websites must renew their certificates with a certification authority to stay current, and outdated security certificates represent a risk.

Firstly, I've never seen or heard of nelreports.net, secondly why is edge contacting it anyway?

I've done a full scan with Bitdefender, Defender, and a quick scan with Malwarebytes, nothing has turned up. Edge is set to open up on a blank page at start.

pemory1964 · Nov 10, 2023

Are you a Windows Insider? Canary build? I am receiving the same flag. The site appears to be an Azure web app page. Bitdefender is also blocking deff.nelreports.net since the last update. I believe this is related to the news feed. check out this report --
bzib.nelreports.net is a subdomain of nelreports.net. DNS resolution of bzib.nelreports.net points to 23.195.105.139 with a location in Seattle, Washington US. Parent domain registration belongs to Microsoft Corporation, registered through CSC Corporate Domains, Inc.. The server responds with an SSL certificate issud by Microsoft Corporation to Microsoft Corporation under the common name *.nelreports.net.

Cloudflare security assessment status for nelreports.net: Safe

.

zooburner · Nov 10, 2023

No, I'm on the slow channel regarding builds, I don't even install the monthly preview updates.

What may be of interest is I have Chrome as the default browser and Edge nags to make it the default browser are getting bigger and bigger, last one was about a third of the window making it impossible to work without interacting with it.

It was after I refused that that I started getting the notifications from Bitdefender, and it now happens every time I open Edge.

Almighty1 · Nov 10, 2023

This is the official whois record:

Domain Name: nelreports.net
Registry Domain ID: 2374329185_DOMAIN_NET-VRSN
Registrar WHOIS Server: whois.corporatedomains.com
Registrar URL: www.cscprotectsbrands.com
Updated Date: 2023-03-24T01:07:19Z
Creation Date: 2019-03-28T17:22:10Z
Registrar Registration Expiration Date: 2024-03-28T21:22:10Z
Registrar: CSC CORPORATE DOMAINS, INC.
Sponsoring Registrar IANA ID: 299
Registrar Abuse Contact Email: domainabuse@cscglobal.com
Registrar Abuse Contact Phone: +1.8887802723
Domain Status: clientTransferProhibited EPP Status Codes | What Do They Mean, and Why Should I Know? - ICANN
Registry Registrant ID:
Registrant Name: Domain Administrator
Registrant Organization: Microsoft Corporation
Registrant Street: One Microsoft Way
Registrant City: Redmond
Registrant State/Province: WA
Registrant Postal Code: 98052
Registrant Country: US
Registrant Phone: +1.4258828080
Registrant Phone Ext:
Registrant Fax: +1.4259367329
Registrant Fax Ext:
Registrant Email: domains@microsoft.com
Registry Admin ID:
Admin Name: Domain Administrator
Admin Organization: Microsoft Corporation
Admin Street: One Microsoft Way
Admin City: Redmond
Admin State/Province: WA
Admin Postal Code: 98052
Admin Country: US
Admin Phone: +1.4258828080
Admin Phone Ext:
Admin Fax: +1.4259367329
Admin Fax Ext:
Admin Email: domains@microsoft.com
Registry Tech ID:
Tech Name: MSN Hostmaster
Tech Organization: Microsoft Corporation
Tech Street: One Microsoft Way
Tech City: Redmond
Tech State/Province: WA
Tech Postal Code: 98052
Tech Country: US
Tech Phone: +1.4258828080
Tech Phone Ext:
Tech Fax: +1.4259367329
Tech Fax Ext:
Tech Email: msnhst@microsoft.com
Name Server: ns2-204.azure-dns.net
Name Server: ns4-204.azure-dns.info
Name Server: ns1-204.azure-dns.com
Name Server: ns3-204.azure-dns.org
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: Submitting a Complaint to ICANN Contractual Compliance - ICANN
>>> Last update of WHOIS database: 2023-03-24T01:07:19Z <<<

zooburner · Nov 10, 2023

Aye, it's likely safe and part of some feedback set up by Microsoft. Bitdefender just does not seem to like the certificate for the domain (out of date perhaps), I'm inclined to ignore it for now.

pemory1964 · Nov 10, 2023

Yes, it is Microsoft. We're getting hits from Edge trying to connect to Microsoft servers in the background (I believe). Both OP and I are on Insider Preview builds, but I'm not sure it's specifically an insider issue.

angryOnWindows · Nov 10, 2023

Hey guys, is not related with insider, I have the same issue, on 4 different PCs. I contacted both microsoft and bitdefender support.

Microsoft didn't really answer my question to "why is a request I don't specifically make is being sent", but the agent said is a defunct service that doesn't need a certificate anymore. However... after I kept him on for like 1h I don't know if he only said that to get rid of me or he got some confirmation. I'm inclined to think he got some info during the chat (he seemed to genuinely try to help me) but can't be sure. He also said they sent a mail to bitdefender regarding this. But... I still don't think is fine. A bad certificate is a bad certificate, and if the endpoint is defunct they should just not call it. And more importantly... why the hell does my browser decide to do that call for me, without any kind of option to stop it (I tried to find one for hours).

I have no idea why they don't just make a public list with "hey, those are the stuff that our services call: edge startup -> nelreports.net because whatever". That way at least I have an official list, and I can safely add an exception. But this way... I just leave the block there and I get spammed every 20 seconds.

Bitdefender was even worse (support wise), since their "24/7 real human chat support" was a bot masquerading as a human (and not even doing it well... I got the bot experience with the response time of humans... great). All I got was "we will get back to you soon". However... I don't think is their fault.

So... anyway to get rid of this would be great. Since changing browsers does not work (because widgets for example still use edge behind). And trying to get rid of the request... I can't seem to find a way. Adding an exception without an official post also isn't a solution for me. I use those machines professionally. I can't just add exceptions without fully understanding why the request is made, by whom, why the cert is not renewed etc.

If you have any idea pls. post it... is annoying as hell.

Ghot · Nov 10, 2023

zooburner said:
No, I'm on the slow channel regarding builds, I don't even install the monthly preview updates.

What may be of interest is I have Chrome as the default browser and Edge nags to make it the default browser are getting bigger and bigger, last one was about a third of the window making it impossible to work without interacting with it.

It was after I refused that that I started getting the notifications from Bitdefender, and it now happens every time I open Edge.

Personally, I just blocked msEdge.exe and microsoftedgeupdate.exe in Bitdefender's firewall.
Also, (I use Firefox)... there's a Firefox tweak that stops Edge from nagging (at least in Firefox).

In Bitdefender's firewall Settings > Default application behavior... I have it set to "Block", (outgoing connections).
On the firewall's Application Access tab... I can see what programs are trying to connect to the internet.
Then I can go onto the Rules tab, and allow them if I want.

angryOnWindows · Nov 11, 2023

Since no real solution was found that doesn't involve any kind of compromise I solved it like this:

I just created a static route for those 2 domains in my hosts file to redirect to local. And since local is not answering with anything... they are not blocked, they just fail. So I get rid of the spam, and I don't need to dig a security hole for some stupid random endpoint.

However... the whole situation is idiotic.

petercd · Nov 11, 2023

I am going to leave it as it is. If Microsoft is too lazy to update the certificate then so be it. I always check BitDefender to see if it is a site I do not want blocked.

zooburner · Nov 11, 2023

angryOnWindows said:
Since no real solution was found that doesn't involve any kind of compromise I solved it like this:

I just created a static route for those 2 domains in my hosts file to redirect to local. And since local is not answering with anything... they are not blocked, they just fail. So I get rid of the spam, and I don't need to dig a security hole for some stupid random endpoint.

However... the whole situation is idiotic.

Exactly, if it's not used anymore, simply remove Edge requesting the site.