[Uristqwerty]

Consider: Malware that doesn't do anything suspicious unless it can first fetch a plausible benign file from what looks like a CDN. If the goal is to properly inspect the behaviour of potentially-malicious code, what it does after successfully fetching a set of ads is as, if not more important than what it does when the connection is blocked. Perhaps a multiplayer game with a backdoor triggered by the MotD service, through intentionally-vulnerable-to-buffer-overflows string processing code.

[philpem]

For bonus points, the C&C server realises the incoming IP has Microsoft's name attached, and only sends back the adverts. For anyone else, it sends a malicious image file as part of the drop, which exploits an intentional security vulnerability in the dropper...

That's actually disturbingly sneaky.

[mirimir]

OK, that makes sense.

So how would one block this exploit? You can't test the malware properly without letting it reach its servers. So then you're also letting it upload its exfiltrated data. Which would likely be encrypted.

[philpem]

I think you'd more or less have to block *.microsoft.com at the gateway, then add explicit allows for WGA and Windows Update.

Or a group policy update to tell Defender not to upload stuff to MS.

[mirimir]

Sorry. I meant how would Microsoft (and other anti-malware) firms block it. When they're testing binaries obtained from users' machines.

For users, sure, try to lock down Windows. Or (my preference) just don't use it. Or don't give it network access, if it contains any information that you care about.