Data Security: Cloud service data-pulls without any external services configured

[Tensington]

There's no way I've found to determine what application or service is causing the periodic green & white icon overlays on the Win 10 desktop which indicate that a file, or a folder's contents, have been cloned and transferred out.

I thought I'd disabled SkyDrive or OneDrive or TwoDrive or whatever microsoft is calling their backup/spy service. I had installed Dropbox but pretty sure I successfully prevented it from autostarting any exe or service.

If anyone has an app that, with one click, will deny all such data-theft executables and all such services from starting, I'll buy it.

 

[Norton]

You trust the Cloud. Check How updates are delivered you could be updating other PCs on the internet. I've pulled the plug on my DSL connection more than once because of extra terrestrial activity. I have never found out what data was being uploaded.

 

[Tensington]

Thanks. The only autoupdating I do is for daily antivirus signatures, incoming to my one machine only. These green and white checkmarks on my desktop are less frequent than that, and don't seem associated with any logged activity. I can see by looking at router logs for example that my Malwarebytes or ClamAV strings-update has been let in, without anything outgoing except the request for that. I don't keep a packet capture running but maybe I ought to do so. Just hoping someone has a simpler answer requiring no advanced analysis.

I ought to mention I also have ZoneAlarm firewall software installed and I've gotten no alerts prior to one of these desktop checkmark attacks.

 

[Tensington]

Also, I didn't realize that there's a Security forum. Sorry. If an admin sees this & wants to move it from General Win10 Discussion that'd be fine.

 

[Norton]

I firmly believe the outgoing activity is MS collecting machine data. I have most if not all apps disabled Cortana too. I can see the outgoing on my router, but failed to identify the the data thief.

 

[Tensington]

You're probably right. I see in router logs incoming connect attempts and udp requests from ms (40.*.*.* addresses) every several seconds all the time, and it could be that every random once-in-awhile their polling results in the SkyDrive pull acknowledgement (desktop icon overlays) -- even though there's no active SkyDrive or other cloud account active (and I'm told any successful upload from non-MS clouds is signalled in that same way).

I just wish there was a way to know but that would require transparency. MS = opaque.

 

[Trouble]

There's no way I've found to determine what application or service is causing the periodic green & white icon overlays on the Win 10 desktop which indicate that a file, or a folder's contents, have been cloned and transferred out.

Is this what you are talking about

IF so it is associated with One Drive and it's syncing local data with your cloud account storage.
You can simply right click the One Drive icon in the system tray and choose "Settings" and under the "Account" tab use the "Choose folders" button to adjust what is or is not sync'd

https://support.office.com/en-US/ar...OneDrive-f32a17ce-3336-40fe-9c38-6efb09f944b0

 

[Tensington]

Sorry if I was unclear that I'd been through all that and subsequently discovered 1) that Windows 10 does that when other, non-OneDrive cloud sync/backup data storage systems (which use some MS API, I guess?) run, as well; and 2) it was still happening even after repeatedly taking all measures to disable One Drive entirely, which your copypasted instructions would not achieve. And I never did set up an Account with One Drive at all, as you suggest.

Was I in fact unclear to you?

People ought to know what I'm talking about if they ever look at their desktops; this clearly must happen all the time. People are just used to it?

 

[Trouble]

Was I in fact unclear to you?

Yep

People ought to know what I'm talking about if they ever look at their desktops

Nope

this clearly must happen all the time

Nope

People are just used to it

Nope

Sorry I wasted your time with my reply.
AND
I still don't know what you are talking about because you apparently can't or won't capture an image of what you are seeing
AND
It's probably worth mentioning (or not) that various backup programs do something similar

 

[Tensington]

Hi, yes I thought that it was worth mentioning since, as I wrote, I've been told that cloud-backup software other than Win10's OneDrive can alert the user that it has already taken her data, by the same icon-overlay system you've taken the time to visualize, very well, thanks - whether or not the user even has a cloud account, whether or not she has enabled it; and perhaps - I still want very much to know if this is the case - whether or not the software has actually taken any data anywhere. That's why I thought it important in fact to mention, so I did.

My hope, my question, is that there might? be some way to explicitly disable it all: To tell Windows 10: "I do not wish to have my data enclouded, nor copied and pulled from my machine to any other; I wish to be informed if any such attempt is made in any way, by any service, process or application; and I wish to disable any and all services that advise me that my desktop has been copied to some cloud if indeed it has not been."

So, where else might I look, who might an authority be for Windows 10 data-security (again, I realize I posted this to the wrong forum, I'm sorry for that, and I'm sorry for being strident and, if it's the case that I've been oversplainy, sorry for that, too). I'm guessing I could bring the issue to someone like Schneier or another security-specialist journalist; or I could try joining TechNet and finding the correct sub there, or on Reddit or somechan.

I'm still hopeful that someone here can point me to a coherent solution. I've had good luck with other problems here, eventually, going back to SevenForums. If I can scour multiple sources and find a solution, I shall perhaps gain some Inner Peace.

It's frustrating because to me, this is one of the most glaring, abominable vexations of Windows 10.

Thanks very much, again!

 

[BigFeet]

People ought to know what I'm talking about if they ever look at their desktops; this clearly must happen all the time. People are just used to it?

Absolutely no idea what you are talking about. If you would screen cap whatever "check mark" you are talking about, it may help get you answers. If you join technet or reddit, they are going to ask the same. They are also going to ask for more detail.

I have nothing syncing to the cloud. Yes, even though I've blocked telemetry, there are still packets going up to microsoft servers. Good luck permanently disabling those.

 

[Tensington]

Although I've never created an account for it I've removed the Microsoft Partners store version of Dropbox which came preinstalled. I suspect that may have been acting maliciously (whether or not it has tried to pull data from me). If I get no further alerts (via the pictured desktop icon overlays) in the next couple weeks, I'm going to presume it as the culprit and I intend to let everyone know, and I mean everyone.

Meanwhile if there are any suggestions in direct response to my already-stated request for info, please feel very free to share.

You guys are great! Thanks.

 

[Tensington]

Absolutely no idea what you are talking about. If you would screen cap whatever "check mark" you are talking about, it may help get you answers. If you join technet or reddit, they are going to ask the same. They are also going to ask for more detail.

I have nothing syncing to the cloud. Yes, even though I've blocked telemetry, there are still packets going up to microsoft servers. Good luck permanently disabling those.

I'm not talking about data packets to MS in general, only the evidently-running backup I never installed or configured as evidenced specifically by the icon-overlying routine that I spoke about in exhaustive and exhausting detail. We'll see if removing the bundled Dropbox ends that. Thanks.

 

[Norton]

Norton and Zone Alarm perform on-line backups. Norton will flag your desktop informing that a recent backup was successful. Do you use Zone Alarm on-line backup?
If Yes! It's something worth investigating further. I'm not a fan of either programs.

 

[Tensington]

Hi, no, I have the free version of ZoneAlarm that doesn't offer backup, and no Norton/Symantec products. A week after uninstalling the MS-bundled Win10 version of Dropbox, it also is still happening. Now, I am suspecting an installed-but-inactive (I thought) backup application that came bundled with my Seagate portable 1T ssd drive. And this is weird: I have had the opportunity to take a capture now and, just as I did so, the icon overlays changed from the checkmark image posted by @Trouble to the one which Windows uses to indicate a workgroup share I think?

(I didn't in fact share anything. And a few moments later the overlays all disappeared.)

Anyhow a moment before I was able to get this capture, the overlays did look as Trouble showed and I previously described. And I still believe it's an indication that a service or process or app secretly tried, successfully or not, to transfer the associated data off of my desktop. If readers think that makes me a candidate for some kind of shiny metallic hat, fine. Meanwhile if anyone knows of a catch-all toggle in Windows to disallow any such activity as I suspect, I will reward you with a grateful interaction of some sort.

 

[Trouble]

IF you are comfortable having a peek at the registry...... have a look at the following key
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers

IF exists, you might see something there that might give a clue as to what might be producing it.

 

[Tensington]

Thanks. That confirms that SkyDrivePro1 (ErrorConflict), SkyDrivePro2 (SynchInProgress), and SkyDrivePro3 (InSync) represented by three keys I see, are configured to use icon overlays to identify a process. I knew that to be the case. Does the fact that my desktop icons all get modified by the library descriptors in those keys' data mean that SkyDrive, although disabled, has run or that it has attempted to run? That speaks more to my lingering question: How to know and how to ensure that it does not run, and nor does any other similar program run - whether MS or MS Partner or other - without my permission. It seems completely crazy to me that Windows doesn't allow me to know; it's so fundamental to my data security. This is Windows 10 Pro. I might expect several things to run without users' knowledge or explicit permission (although not without Administrator's) in an amateur, Home, School version.

 

[Norton]

Have you checked in task manager if the above unwanted programs are still enabled?
It's possible that the programs by default, including Seagate portable, have scheduled triggers set by default to perform backup events and the events are still triggering daily, weekly, monthly until they are disabled.

 

[Trouble]

It's been a while since Microsoft referenced "SkyDrive" as they were forced to change the name quite some time ago to "OneDrive", so maybe this was an upgrade holdover from an earlier version of Windows.
I wasn't even aware that they offered a "Pro" version. Is this or has it been a business / commercial computer rather than a consumer model as branded by the manufacturer
I see that SkyDrive Pro has been renamed OneDrive for Business
https://blogs.office.com/en-us/2014...o-are-now-onedrive-and-onedrive-for-business/

 

[Trouble]

It's possible that the programs by default, including Seagate portable, have scheduled triggers set by default

Definitely worth looking at task scheduler to see what might be there.