Christer Jakobsen's community posts

Josh D wrote:

Christer Jakobsen wrote:

Since yesterday, we got alerts fr om Defender about 5 computers regarding this. It is not sufficient to create exceptions for the folders or processes. Fr om what I understand, we have to whitelist the RU Central server ip addresses. Unfortunately i have not found any dynamic server address that can be used, so I added ip address indicators to allow the traffic. (Defender portal->Settings->Endpoints-> Rules->Indicators->IP addresses.
64.20.61.146
172.241.164.247
216.158.232.18

There can be more IP addresses in use that might show up later, and they can be found by using Advanced hunting with this query:

DeviceNetworkEvents
| wh ere InitiatingProcessFileName == "rutserv.exe"
| wh ere RemotePort in (5650,5651,5652,5653,5654,5655)
| summarize count() by RemoteIP

Adding ip-address indicators to allow traffic will open up for all processes, so it probably should be used together with an endpoint firewall policy to only allow rutserv.exe to connect to these addresses and ports.

Hey Christer,

Thanks for your reply, I was going to do this (as it's not the software being blocked per se)

However I was more inclined to check if 172.241.164.247 was an active RU IP and not a some sort of middle botnet which has been hijacked.

Thanks for the help, I imagine that's what I'll do shortly

Thanks for the comment.
I don't know if it's possible to gurantee the ip-addresses are actually official RU servers. It would be very helpful if they could provide an official list of addresses (or even better a dynamic address that they could update themselves).

Since yesterday, we got alerts fr om Defender about 5 computers regarding this. It is not sufficient to create exceptions for the folders or processes. Fr om what I understand, we have to whitelist the RU Central server ip addresses. Unfortunately i have not found any dynamic server address that can be used, so I added ip address indicators to allow the traffic. (Defender portal->Settings->Endpoints-> Rules->Indicators->IP addresses.
64.20.61.146
172.241.164.247
216.158.232.18

There can be more IP addresses in use that might show up later, and they can be found by using Advanced hunting with this query:

DeviceNetworkEvents
| wh ere InitiatingProcessFileName == "rutserv.exe"
| wh ere RemotePort in (5650,5651,5652,5653,5654,5655)
| summarize count() by RemoteIP

Adding ip-address indicators to allow traffic will open up for all processes, so it probably should be used together with an endpoint firewall policy to only allow rutserv.exe to connect to these addresses and ports.