Jump to content

Any Win10 SmartScreen/canonicalizer.ucsuri.tcs Link?


ausgumbie
 Share

Recommended Posts

Hi all

I write from the Land Down Under, Queensland, Brisbane.

I'm currently enjoying a large number of internet outages. For fellow Aussies, I'm with Telstra. Technology = NBN-HFC. Arris CM8200 modem, Sagemcom F@st 5355 router.

Fellow Aussies would suggest the outages are caused by one or more of: NBN upgrades (possible - they've been flagged), Telstra (no further explanation needed), or F@st 5355 router (no further explanation needed).

In the router log, I and others have noted a frequently-appearing Error Message, viz: "DNS name resolution failure (canonicalizer.ucsuri.tcs)"

On a very few places online this connection is discussed, the connection between Windows 10 SmartScreen and canonicalizer.ucsuri.tcs is confirmed but no one is able to say more than that. canonicalizer.ucsuri.tcs is NOT a registered domain.

So, I'm searching for info...

A respondent to a Ten Forums thread (https://www.tenforums.com/antivirus-firewalls-system-security/118347-any-win10-smartscreen-canonical...) I started on this point directed me to a German article: (https://www.gameindustry.de/hints.php). The section on SmartScreen seems to read (my translation - I have some German - based on Google Translate and Collins Online):

Microsoft SmartScreen:

Behind the introduction of SmartScreen as a protective function in Windows against "potential threats" hides a [stupid]* telemetry service. Microsoft SmartScreen turns itself on during each installation of a program and asks the user if he/she really wants to install a program. In the background three addresses activate themselves for this purpose.

1. checkappexec.Microsoft.com
2. t.checkappexec.Microsoft.com
3. canonicalizer.ucsuri.TCS

If something is installed from the Windows Store, the "licensing.mp.microsoft.com" activates itself in addition. While the "licensing" address does make sense in validating product keys, Smartscreen directly [passes on]* recorded data from the user's computer in relation to installation directories, installation time, language settings, what will be installed where, operating system / version, location, unique user ID, settings for created group policies and much more.

These three addresses from Microsoft SmartScreen (besides the mentioned licensing) are also entered in the hosts file and thus prevent unnecessary disclosure of things. A win-win situation for both sides, because in addition to [the host’s] own privacy and Microsoft's server will also be protected.

(Caption to pic)
Microsoft Smartscreen Telemetry

With SmartScreen, Microsoft not only gets a precise insight into folder structures, but can theoretically get an overview of any user interests. [It gets that gratis]* with each click on an exe file being installed.

An excerpt prepared here as a screenshot. Contents vary little for these three addresses listed.


*NOTES:

  • [stupid]. The paragraphs don't seem derisive of Win 10/SmartScreen. So, I'd understand "stupid" here as "simple, unsophisticated"; i.e., the telemetry service is something of a blunt instrument.
  • [passes on]. My interpretation of "SmartScreen gibt ... weiter".
  • [the host's] own (privacy). My interpretation of "eigener (Privatsphäre)".
  • [It gets that gratis]. My best understanding of "Das umsonst ..."


Any additional info - guidance most appreciated.

ausgumbie

Link to post
Share on other sites

  • Root Admin

Normal editing was removed from the general member level as the Chinese spamming industry was using it to bypass our efforts to block them.

As far as your findings, I'm sure you've found this, but if not I'll go ahead and post it to this topic for reference.

http://security5magics.blogspot.com/2018/05/what-is-canonicalizerucsuritcs.html

 

Link to post
Share on other sites

  • Staff

It seems based on what you translated that this is related to the metadata that Microsoft browsers (like Internet Explorer and Edge) append to files via ADS (Alternate Data Streams) that are downloaded from the web (particularly executable files, documents, reg files, bat files, vbs and other scripting format files) in order to display the prompt to allow or block the file from executing or to enable/disable active content within a document/enable editing for the case of items that open in programs like MS Office and Adobe Reader (PDFs, .DOC/.DOCX, .XLS/.XLSX, .RTF) etc. and is also responsible for the Security field added to the files' Properties tabs and the Unblock button which removes it when clicked (I also use a tool by MS Sysinternals called Streams; more info here, which I've added to my Send to right-click menu in Explorer for both individual files as well as entire folders for cases where I know the object is safe and don't want it blocked from execution/editing/opening by the Windows confirmation dialog).

Here are some examples of how this is evident in files downloaded from the web:

Security_Unblock.png.b409b722bc1d6e7b69fbfdba2c3709a9.png

Protected_View_Enable_Editing.thumb.png.7752a42020513a5ad632c8b0bbdc31db.png

More info on ADS can be found here.

I do not know what, if anything MS is actually collecting with regards to telemetry when such files are accessed/executed, however it is possible based on what I know of this function that at least some if not all of the communication happening is actually related to the creation of and removal of the ADS itself on the local system as well as displaying the appropriate prompts and opening files in their associated applications by default in said applications' protected modes which would make sense given the fact that at least one of the addresses isn't a valid domain.  I suppose further research is necessary to determine the full details though, but I would like to hear if anyone has done an extensive trace of the destinations of any sent packets etc. (via Wireshark or any other such logging tools) to determine if any data/telemetry is actually being sent to MS (or anyone else) when these files are executed and/or modified.  I guess it all depends on whether or not the two "checkappexect.Microsoft.com" domains actually resolve or not.  I guess I'll have to wait for someone with more networking know-how to investigate and respond as I'm not confident in my own ability to make that determination given my limited knowledge on the subject.  I'm definitely anxious for answers though, as I always thought that, even though I knew MS was getting cloud/web data on files downloaded through their browsers for SmartScreen (this is how it, like Google Chrome, will warn you about files not frequently downloaded as well as files reported/known to be malicious), I did not think that MS was using this ADS function to collect any data from systems so this could be a real eye opener for those concerned with privacy (especially those like me who have deliberately stuck with Windows 7 to, among other things, avoid the somewhat staggering levels of telemetry/spyware embedded in more modern versions of the Windows operating system).

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.