Allow defenderbootstrapper.exe to phone home?

Topic

New Reply

[TJ]

A few days ago my firewall warned me about a new outgoing connection attempt by defenderbootstrapper.exe. I allowed it for now.
I tried to find out online what it is and does, but I can’t find any information about it.

Its location is \device\harddiskvolume4\program files\common files\microsoft shared\clicktorun\onlineinteraction\73b2aa4f-faa6-4702-8d25-444947072c82_320\defenderbootstrapper.exe so it must have something to do with Microsoft 365.
It connects locally and remote to ip adress 66.198.240.5

Can anyone tell me what it is and if there’s any harm in allowing it to “phone home”?

LMDE is my daily driver now. Old friend Win10 keeps spinning in the background

• This topic was modified 2 years, 1 month ago by TJ.

Reply | Quote

Replies

That IP address does not appear to belong to Microsoft, and my C:\Program Files\Common Files\microsoft shared\ClickToRun\OnlineInteraction folder is empty.

1 user thanked author for this post.

TJ

Reply | Quote

IP seems to belong to/is hosted by A2 in the US – is all I can find.

My OnlineInteraction folder is (now) empty as well, but my question remains….

LMDE is my daily driver now. Old friend Win10 keeps spinning in the background

Reply | Quote

Based on the information in the linked topic, it appears to be some sort of new Microsoft Defender thing?

https://www.askwoody.com/forums/topic/dribble/

1 user thanked author for this post.

TJ

Reply | Quote

GeeBeeDee wrote:

Based on the information in the linked topic, it appears to be some sort of new Microsoft Defender thing?

It is not known what defenderbootstrapper.exe is, what program it is associated with, nor function. In a search across web I can find no information on this file.

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

1 user thanked author for this post.

TJ

Reply | Quote

Indeed. Nothing to find strangely enough

LMDE is my daily driver now. Old friend Win10 keeps spinning in the background

Reply | Quote

What @bbearren describes is not the case (yet) on my pc.

LMDE is my daily driver now. Old friend Win10 keeps spinning in the background

Reply | Quote

Consider running your antivirus software on defenderbootstrapper.exe to see if it is flagged as malware.

You may also want to check here for further information:
https://www.virustotal.com/gui/home/upload

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

1 user thanked author for this post.

TJ

Reply | Quote

That would indeed be a smart thing to do if the file was still on my pc – which it isn’t.
After @b said in #2546128 that his Onlineinteraction folder was empty, I checked and mine was empty as well.

But the fact that it WAS in that folder suggests that it has something to do with M365 (as well).

Well, I reverted my intitial allowance to let it connect and blocked the action in the firewall. Hopefully it doesn’t pop up again.

Just to be safe I will do a full scan tonight. Thanks

LMDE is my daily driver now. Old friend Win10 keeps spinning in the background

Reply | Quote

I ran a full and an online scan but nothing found.

LMDE is my daily driver now. Old friend Win10 keeps spinning in the background

Reply | Quote

Searched all 3 of my machines 2-Win 10 Pro and 1-Tiny11B2 (Win 11) and the file does not exist on any of them.

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

1 user thanked author for this post.

TJ

Reply | Quote

Information for Microsoft Defender App is here:
https://www.microsoft.com/en-us/microsoft-365/microsoft-defender-for-individuals

It is installed through the Microsoft Store. You might want to view your store apps to see if it is there. Make sure both uninstalled apps and installed apps are displayed.

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

Reply | Quote

After uninstalling most MS Store [cr-]apps from my pc years ago, I cripled the whole MS Store.
Maybe that’s the reason it was not -and hopefully will not be- installed.

But thx anyway 👍

LMDE is my daily driver now. Old friend Win10 keeps spinning in the background

1 user thanked author for this post.

geekdom

Reply | Quote

I wondered if Microsoft Defender App had been installed and if defenderbootstrapper.exe were possibly a part of installation.

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

Reply | Quote

Unfortunately the firewall alert for defenderbootstrapper.exe popped up again.

I immediatly blocked it and looked in the folder, but C:\Program Files\Common Files\microsoft shared\ClickToRun\OnlineInteraction is empty, so I can’t scan the file.
And when I check the rule it says that the file does not exist….

LMDE is my daily driver now. Old friend Win10 keeps spinning in the background

Reply | Quote

I’m contributing to this thread only because I have recently seen the same behavior, with an interesting twist.

First of all, I am using a very stripped down W10Pro computer with every unnecessary service and promiscuous Windows behavior either removed or neutered (whether MS-based or not).

The computer has minimal software loaded on it, but it does have Microsoft 365 and Bitdefender installed.  And, Bitdefender’s Firewall is set for maximum restriction and verbose alert mode — meaning, no packets are allowed by default, and every .exe that attempts to send a packet must be approved by me first — or pass a Firewall rule that I carefully researched and created.

For the past two weeks, I have been presented with, and have access-denied, a new .exe called defenderbootstrapper.exe.  And Bitdefender, whose Firewall alerts routinely provide clickable link that automatically opens a new window with the exact directory path of the offending file, has been unable to do so with this .exe.  This initially raised a red flag for me.

An even higher level of concern was raised when I performed multiple Windows-based file searches for the .exe on the c: drive, and in the Program Files directory — and found absolutely nothing.  And for the record, I used a wide variety of wild card permutations in order to capture that file in the search results, but failed every time.

Upon close inspection, every time this happens, there is NO defenderbootstrapper.exe file in this directory, or any other directory:

C:\Program Files\Common Files\microsoft shared\ClickToRun\OnlineInteraction

Now, I use Macrium Reflect to image the boot drive on this computer on a very frequent basis.  And I can confirm that none of the archives over the past two weeks have defenderbootstrapper.exe in that directory, or any other directory.

My current thesis is that a different .exe is periodically (and temporarily) installing defenderbootstrapper.exe into the above directory, and when I disallow it access to the Internet, the .exe is uninstalled.

On a computer where that .exe is allowed to access the Internet, I suppose it “does its thing” and then is uninstalled the same way — but I can’t confirm that.

As to whether or not it is malicious, I don’t know.  I would like to look at its properties to see if it is signed, but it can’t be found.

Anyway, that’s all I got — just thought I’d add an “Additional Voice” to this thread.

2 users thanked author for this post.

geekdom, TJ

Reply | Quote

Instead of Bitdefender’s Firewall my pc runs Malwarebytes Windows Firewall Control which more or less behaves in the same way. And I have the same experience as you describe: defenderbootstrapper.exe is nowhere to be found.
I also use Macrium Reflect and will also check my images. Probably will also find nothing there, but just in case.

Until proven otherwise and found ‘guilty’, defenderbootstrapper.exe could be an extra/new defensive layer MS put on the initialization or validation process for Click-to-Run applications??

LMDE is my daily driver now. Old friend Win10 keeps spinning in the background

Reply | Quote

https://www.wilderssecurity.com/threads/defenderbootstrapper-exe.450991/

defenderbootstrapper-exe has these parameters according to the post :

defenderbootstrapper.exe –quiet –start- -p…..

1 user thanked author for this post.

TJ

Reply | Quote

[TJ]

This user Tarnak shows he has two 365 apps listed as well as the Microsoft Defender app, which is not the case on my pc: I have just one Microsoft 365 app and no Microsoft Defender app in my list.

His log says
OnlineInteraction\73b2aa4f-faa6-4702-8d25-444947072c82_309e whilst mine shows
OnlineInteraction\73b2aa4f-faa6-4702-8d25-444947072c82_320,  so only the last _320 differs.

What is “-p” for?

LMDE is my daily driver now. Old friend Win10 keeps spinning in the background

• This reply was modified 2 years, 1 month ago by TJ. Reason: added info

Reply | Quote

Found it: “The -p option is used to expose the ports that are used for the image instance.”

LMDE is my daily driver now. Old friend Win10 keeps spinning in the background

Reply | Quote

This is the exact same behavior I’ve seen, but using GlassWire here. Firewall is set to block unless approved, but then when I try to find file to submit to VirusTotal, it is gone from my computer. The path is c:\program files\common files\microsoft shared\clicktorun\onlineinteraction\[long string of numbers redacted]\defenderbootstrapper.exe. Many times the file shows as unsigned. I deny it every time from talking to the internet.

But what brought me here is that I got the same popupfrom Glasswire but this time it was signed by ‘Microsoft Corporation’ with file showing 0.4.18. However the name of the file was xpdBootstrapper in Glasswire. FYI the file is trying to ping onedscolprdcus10.centralus.cloudapp.azure.com:443.

Definitely sus and would block. Any file that reaches out to the internet and disappears seems pretty thoughtfully malicious.

1 user thanked author for this post.

TJ

Reply | Quote

“Until proven otherwise and found ‘guilty’, defenderbootstrapper.exe could be an extra/new defensive layer MS put on the initialization or validation process for Click-to-Run applications??”

Interesting theory.  From a strategic point of view, a bad actor can’t attack something that doesn’t exist (until it is maybe installed by another application).  I believe I have also seen C2R requesting Internet access at around the same time — although I can’t say with certainty that I ALWAYS see C2R calling home at the same time.  Still, it strikes me as a bit late in the game for MS to add a new security measure.

Lastly as a guest, there does not seem to be a way for me to receive alerts for this thread.  So if I do not respond, you will know why.

1 user thanked author for this post.

TJ

Reply | Quote

Then why don’t you register? This is a nice no-nonsense knowledgeable bunch of people. No bad language or ego trippers here.

For a few $$ a year you get access to very informative newsletters, update warnings and alerts, and more.

LMDE is my daily driver now. Old friend Win10 keeps spinning in the background

3 users thanked author for this post.

satrow, Zig, PKCano

Reply | Quote

Well, I was finally able to see the file before denying its Internet access (which, all by itself, causes it to self destruct).

The file appears to be signed by Microsoft and the original file name is xpdbootstrapper.exe.

Probably the most interesting (and concerning) thing about this file is that simply right clicking on it, in order to see its properties, causes it to self destruct.  And that happens before I deny Internet access.

This is the type of behavior I expect from malware and viruses — not valid executables.

1 user thanked author for this post.

TJ

Reply | Quote

Right. Searching for more info on defenderbootstrapper a few days ago I came upon this report on xpdbootstrapper from hybrid-analysis https://www.hybrid-analysis.com/sample/0aa6774c0dc7c77012e236123418e61bc5ce3d429f383ab5233a9c376b5889f6/6375678d0486c659101b1998

This is abracadabra to me, but maybe some of you can make sense of it.

LMDE is my daily driver now. Old friend Win10 keeps spinning in the background

Reply | Quote

About halfway down that report is:

ProductName
Microsoft Outlook Installer

ProductVersion
1.2022.1108.300

FileDescription
Microsoft Outlook Installer

OriginalFilename
xpdBootstrapper.exe

And about 10 lines above that is the icon of an Outlook Preview version:

Which is available from Microsoft Store:

https://apps.microsoft.com/store/detail/outlook-for-windows/9NRX63209R7B

1 user thanked author for this post.

TJ

Reply | Quote

Both interesting posts ^.

For the record, I don’t use the Microsoft Store and Outlook previews are disallowed by the Admin (by design) on this computer.

Just sharing data points.

1 user thanked author for this post.

b

Reply | Quote

Same here. And ‘normal’ Outlook is already installed cause I have M365.

So maybe it’s a ‘tool’ to see if a user has Outlook or not and take subsequent action. Still, it’s a dodgy process.

I will for now put this question on ‘resolved’ status but….
additional information remains welcome!

LMDE is my daily driver now. Old friend Win10 keeps spinning in the background

1 user thanked author for this post.

b

Reply | Quote

It must be connected with MS Office somehow. This page includes “vs_setup_bootstrapper.exe” in a screenshot, and then briefly explains bootstrapper.exe:

Bootstrapper.exe is an executable file on Microsoft Office. It is responsible for the initialization of applications built using the Composite Application Library. It is relatively a new technology used to simplify dependencies required during installation processes.

What is Bootstrapper.exe? [December 25, 2022]

2 users thanked author for this post.

satrow, TJ

Reply | Quote

I don’t know if they are one and the same. They call it ‘Microsoft Setup Bootstrapper” and Hybrid Analysis’ report says it’s a ‘Microsoft Outlook Installer’ as you explained in #2547830 and the product versions also differ.

As far as I know there are different kinds of bootstrapper.
https://learn.microsoft.com/en-us/windows/win32/msi/bootstrapping
But I am far from being an expert, so I could be wrong.

LMDE is my daily driver now. Old friend Win10 keeps spinning in the background

Reply | Quote

Could it be that this is connected to the KB5021751 update that checks Windows PCs for versions of Office installed ?

Microsoft said it will run once.

* Why is the topic marked as Resolved ?

Reply | Quote

If you mean this is MS’ way to also check C2R users, then why does/did it run more than once?

* Why I marked this topic as resolved, is because we now know it is a MS signed….. something. See b’s #2547830 answer.
And although I still find it a sneaky operator, it is for 99% certainty no malware.

If you would keep this topic open: why?

LMDE is my daily driver now. Old friend Win10 keeps spinning in the background

1 user thanked author for this post.

Alex5723

Reply | Quote

Sorry, little late to the discussion.

Yes, in my limited searches, I’ve encountered a few other bootstrapper applications. However, defenderbootstrapper.exe seems to be very distinct entity, and one that is curiously undocumented and largely unsearchable if you force Google to find the full and exact file name using quotation marks.

The file name is also a bit of a red flag.  It’s not a naming convention I’d use for a benign application whose function is related to any of the various theories in this thread that hypothesize what this little file is supposed to do.  In fact, it’s exactly what I would name the file if I was a hacker in a nation state-sponsored program.

I do agree there is a high probability this is a genuine Microsoft file, but that is cold comfort for those who are well versed in just how abusive, leaky, and promiscuous Microsoft’s applications and telemetry are.

Frankly, I find it shocking.  If the average user actually knew the amount of information (anonymized or not) that was being exfiltrated from their machines, they’d switch to Apple or Linux.  I never thought I’d say this, but even Google is more transparent and less abusive.

And just when you’ve spent hours locking down a Microsoft service or application across your deployment, they intentionally force a new version during a security update that removes all of the handcuffs you placed on the old version.  That is their strategy for reopening the floodgates.

Anyway, I digress.

1 user thanked author for this post.

TJ

Reply | Quote

Thank you. Considering your arguments I will revert the status of this topic back to “Unanswered”.

LMDE is my daily driver now. Old friend Win10 keeps spinning in the background

Reply | Quote

Thank you for reopening. I think though bootstrapper.exe could be a legit file based on posting above, this particular file(s) has various prefixes that seem to be added to make it seem legit, then self-erase when internet access is blocked or someone right-clicks for properties (thanks @additionalvoice)!

1 user thanked author for this post.

TJ

Reply | Quote

This comment may have been directed at someone else.  But I wasn’t trying to make any kind of suggestion about how this thread should be characterized.

1 user thanked author for this post.

TJ

Reply | Quote

Well, my comment was directed at you. Your stance made me realize this should be investigated further, and therefore I reopened this topic. And I thank you for your it.

(And @Alex5723 also gave the impression that the topic is not resolved yet)

LMDE is my daily driver now. Old friend Win10 keeps spinning in the background

Reply | Quote

defenderbootstrapper.exe was trying to phone home again just now.
Different port this time: 4792.
https://www.adminsub.net/tcp-udp-port-finder/4792

Before it was port 320 https://www.adminsub.net/tcp-udp-port-finder/320

LMDE is my daily driver now. Old friend Win10 keeps spinning in the background

Reply | Quote

Port number changes are interesting and not very ‘above board’.   Sounds like the .exe (or rather its progenitor) is either randomly selecting ports, or the progenitor is maybe logging ports that have been previously blocked and is trying alternative ports.

My Firewall log lists the following IP address targets for defenderbootstrapper.exe:

20.189.173.3/0

13.69.109.131/0

20.42.65.85/0

13.89.178.26/0

104.208.16.88/0

52.182.143.211/0

13.107.5.88/0

A simple Whois search confirms that every one of these IP targets is identified as part of the Microsoft Domain, as it should be.

In stark contrast, I noticed you mentioned 66.198.240.5 in a much earlier post.   If that number is correct, I would be somewhat concerned as that IP address is associated with a hosting company in Ann Arbor, Michigan — and not Microsoft.

Whois:  https://ipinfo.io/66.198.240.5

A2 Hosting:  https://www.a2hosting.com/

It might be worth checking your logs to see if that number is correct.  Also not sure what you meant when you said:  “It connects locally and remote to ip adress”.  Are you maybe using a proxy server, VPN or TOR — or is your hosting company maybe acting as a proxy?

1 user thanked author for this post.

TJ

Reply | Quote

I’m using a vpn yes.
But to my shame I must confess I didn’t read the rule information correct: there never was an established connection to ip 66.198.240.5 – that ip was shown only as an example how to check Local and Remote ip addresses. Ports is same story….

These are the destination addresses according to the log:
20.189.173.6 (once), 13.107.228.50 (twice), 13.107.229.50 (twice) which are all MS Domains.
Those are from today only. Don’t have logs from before because most logs are cleared before backup.

For all four the Process ID is 9188, source ports: 49709, 49710 and 49711, the destination port is 443 for all four.

LMDE is my daily driver now. Old friend Win10 keeps spinning in the background

Reply | Quote

Ok.  Good.  Those are all Microsoft controlled domains.  And don’t beat yourself up, this stuff can get complicated quickly.

Until further information is known about exactly what function this program performs — I think I’m going to continue to block it.  Not because I believe it is definitely malicious — just because I block everything that I can’t research and get comfortable with.  And I can’t find much of anything on this program — not from Microsoft, and no chatter from the tech community.

A naming convention that uses “defender” and “bootstrapper” for a file in that directory maybe vaguely suggests functionality that allows for some level of interoperability between C2R and Microsoft Defender — but who knows.  You would think that Windows Defender would have a more integrated and holistic method to safely and reliably allow C2R to function.  The mechanism that allows for the occasional “birthing” of that .exe is interesting to see, especially because that directory is otherwise empty — but I am not much more than a novice in these matters.

I’m going to continue to block it, and I predict one of three things will happen — either:

1.  Something will break and I will be notified that 365 won’t continue to work unless I allow that .exe, or;
2. Microsoft will conclude that the .exe is being blocked on too many machines and they will incorporate this function into another more generally accepted application, or;
3. Nothing will break and I will have prevented Microsoft from yet another variant of their abusive data mining campaign.

Either way, I am happy to keep denying permission until I have no choice but to let that .exe start blabbing to the world.

1 user thanked author for this post.

TJ

Reply | Quote

Just to chime in I’m also experiencing this. I have a very new install which basically consists of office, glasswire, malwarebytes and a tool for upscaling images called Upscayl.

I was reluctant to install Upscayl because it’s an unknown publisher (freeware) and for that reason I have been suspicious of it from the start.

Interesting also I have office installed as others have mentioned.

Glasswire alerts me of xpdboostrapper (signed by microsoft) and defenderbootstrapper (unsigned), both resolve to defenderbootstrapper.exe

The last phone home was to:
onedscolprdweu06.westeurope.cloudapp.azure.com
34.199.167.148

Which despite the name seems to be hosted on AWS and AFAIK not a Microsoft domain.

Not long before the last alert I got a notification malwarebytes and windows defender were turned off – this doesn’t seem to be out of the ordinary with malwarebytes however and I assumed it was an update.

I remain suspicious!

2 users thanked author for this post.

TJ, b

Reply | Quote

Sorry to correct myself above it is a Microsoft domain, whatever website I used to look up the url originally was wrong (incorrect ip).

I doubted myself when realised it couldn’t have been an AWS host with an azure domain.

1 user thanked author for this post.

b

Reply | Quote

Malwarebytes AND Defender turned off sounds quite dangerous and unusual. I never experienced that. I would check the logs.

LMDE is my daily driver now. Old friend Win10 keeps spinning in the background

Reply | Quote

What version of Office are you guys using?

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

I’m using Microsoft 365 C2R Personal, with Defender as only av.

LMDE is my daily driver now. Old friend Win10 keeps spinning in the background

Reply | Quote

defenderbootstrapper.exe tried again just now. Different process id, different source ports, same destinations. See screen print.

In case you’re interested in the times: I’m on GMT +2 (Daylight Saving Time)

LMDE is my daily driver now. Old friend Win10 keeps spinning in the background

1 user thanked author for this post.

geekdom

Reply | Quote

Microsoft.  Is the source file location pointing to Office click to run?

Let me ask around.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

TJ

Reply | Quote

I use license version of Windows10FirewallControl with default set to disallow any unknown program from internet access – and pop up an alert.

For many months I have been getting warning what the Firewall identifies as Application – xpdBootstrapper(##) – every time it is a new .exe – so even if I were to allow access, it wouldn’t matter – it’s too late, and next time, it will be a ‘different’ new file.  The program indeed does disappear, but the firewall log gives some clues that this is an attempt to run some ‘clicktorun’ app:

C:\program files\common files\microsoft shared\clicktorun\onlineinteraction\73b2aa4f-faa6-4702-8d25-444947072c82_5a31\defenderbootstrapper.exe

xpdBootstrapper (8)
C:\program files\common files\microsoft shared\clicktorun\onlineinteraction\73b2aa4f-faa6-4702-8d25-444947072c82_488e\defenderbootstrapper.exe

(Pretty sure this is triggered by something in the local MSOffice software.)

I agree with earlier post that nearly the entire world does not understand the amount of data/analytics that is being exfiltrated from our personal computers by Microsoft, and if people did understand, it would not be tolerated.  It is getting almost impossible to control your own data.

 

Reply | Quote

Depending on the patching channel of Office the monthly can update at least once a week.

In asking around (and apologies forgot to post back) this appears to be the update installer/trigger.  Often what people think of in terms of data/analytics is merely vendors trying to make sure the software is running and not blowing up.  Humans often don’t give feedback correctly or with enough details.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Thank you Susan for your info –
My firewall log is showing the bootstrapper running every 3 days at about the same time of day. I think it stops when I allow a monthly Windows update to run (until an office update is available again?)

I’m going to try disabling the Microsoft Office Click-to-Run-Service, although the description of the service says that it is required to run “…during the use of any Microsoft Office program,…”

I also see in Task Scheduler -> Microsoft-> Office 4 scheduled tasks related to office updates and click-to-run updates – and, probably related to the firewall blocking the ‘Office Feature Updates’ task shows last run result of “The operator or administrator has refused the request.” – this task has 6 daily triggers – runs every 4 hours. I think I’m going to disable this and some of the other automatic update tasks. I prefer to pay attention to things and don’t like automatic, hidden updates.

 

 

Which led me to check – Task S

Reply | Quote

I would rather change the office to the slower updating channel than to turn off office updating.  Office is used in a lot of attacks.  Better to move to something like Libreoffice or to move to the slower patching cadence.  Click to run will update in the background.  That’s how it works.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote