I noticed a lot of network activity from my otherwise idle system this morning, so I fired up a packet sniffer. In addition to Microsoft sites at 207.46.132... and 65.54.186..., I saw encrypted connections using port 443 to "Great Works Internet" at 66.55.202... and to "Internap Network Services" at 66.151.152...
Actually using Live Mesh made more connections to these sites and others, so I'm assuming this is supposed to be happening, but I always get seriously paranoid when I don't know who my systems are talking to out there! I don't see any Google hits or search hits here for these third party servers being involved with Live Mesh - can anyone confirm I am supposed to be talking to them? What services is Microsoft (I hope!) using that they can't provide themselves?
The site at 66.151.152... is owned by Omniture, a 3rd party that Live Mesh uses for web analytics. Microsoft owns a block that would cover 65.55.202, and Live Mesh uses it for all kinds of things. Can you verify that you're seeing 66.55.202... while using Live Mesh? I just want to verify that wasn't a typo.
The site at 66.151.152... is owned by Omniture, a 3rd party that Live Mesh uses for web analytics. Microsoft owns a block that would cover 65.55.202, and Live Mesh uses it for all kinds of things. Can you verify that you're seeing 66.55.202... while using Live Mesh? I just want to verify that wasn't a typo.
I believe you're right, I can't find "66.55" in the logs I kept, only "65.55", and "66.151", so the "Great Works" part of the question was my mistake. Sorry for the confusion.
Right now I'm not logged in but I'm still getting a bump to the "65.55" address about every five seconds. Looks like one full 1415 byte packet and part of another one go each way, encrypted, of course, so I have no idea what it is doing. Must be the underlying wlcrasvc?
This is a real problem for those of us who live in the wilderness and pay by the minute for our net connection! Actually I've given up, I power down the WiFi router when I'm not actively using it. There are just too many automated gadgets in Windows that randomly hit the net, one can no longer hope to kill them all. So much for "always on"...
Back again. Last night I was helping a friend with a corrupted WinXP system, and fired up my tablet to check something. It immediately jumped onto his Apple Airport and began monopolizing the miserably tiny 42K dialup pipe which is all he can get out here in "Northwest Nowhere".
Believing I had Automatic Updates set to manual, I got very concerned when the unknown and uninitiated network activity kept happening. I was after all on the same network with a corrupted XP installation, that could have some nasty malware operating. Once again to the packet sniffer, and once again it appears the culprit was Live Mesh. Is it possible that logging out of Live Mesh and setting the login to manual does not survive a system restart? I know I had logged out, because I had been stuck on a 1X cellular connection all day.
During the time I watched, my system contacted
Trying 65.55.202.156 at ARIN OrgName: Microsoft Corp NetRange: 65.52.0.0 - 65.55.255.255
Trying 207.46.132.250 at ARIN OrgName: Microsoft Corp NetRange: 207.46.0.0 - 207.46.255.255
Trying 192.221.123.124 at ARIN OrgName: Level 3 Communications, Inc. NetRange: 192.221.0.0 - 192.221.255.255
Trying 204.160.114.123 at ARIN OrgName: Level 3 Communications, Inc. NetRange: 204.160.0.0 - 204.163.255.255
Trying 204.160.122.123 at ARIN OrgName: Level 3 Communications, Inc. NetRange: 204.160.0.0 - 204.163.255.255
All encrypted, using ports 80 and 443.
According to DNS, at least one of the Microsoft ports is a server for Windows Update:
I certainly wasn't actively using Live Mesh, yet it was sucking up as much bandwidth as it could get, so it must have been downloading an update. It really needs to respect the global Windows Update setting on individual machines. For those of us who are limited to slow net connections, real work grinds to a halt when programs try to update themselves at random. Even with updates set to manual, just the checking that takes place on every wake-up makes the system unusable for about the first two minutes.
Currently the Live Mesh software will attempt to update itself within 24 hours of a new release becoming available. We've seen some other requests to make this a user-configurable option, though, and I've added your vote for that feature to our internal list.
