Table of Contents
- Is your Apex One flagging Microsoft CDN IPs? Here is the fix for false positives.
- Advisory: Trend Micro Apex One False Positives (February 2026)
- The Root Cause: Microsoft CDN Misidentification
- Immediate Workaround: Enforce “Simple” Download Mode
- Method 1: Group Policy (Recommended for Domains)
- Method 2: Registry Editor (For Single Endpoints)
- Verifying the Resolution
Is your Apex One flagging Microsoft CDN IPs? Here is the fix for false positives.
To resolve the false positive blocking of Windows Update URLs by Trend Micro Apex One, you must adjust the Delivery Optimization settings to bypass peer-to-peer peering and force direct HTTP/HTTPS connections. The proven workaround involves setting the Download Mode to ‘Simple’ (ID 99) via Group Policy or the Registry, effectively whitelisting the traffic by adhering to standard CDN protocols.
Advisory: Trend Micro Apex One False Positives (February 2026)
Security administrators and Windows users should be aware of a widespread false positive issue affecting Trend Micro Apex One as of February 13, 2026. The security agent is currently identifying legitimate Microsoft Windows Update traffic as malicious, triggering blocked URL alerts across managed endpoints. This creates significant noise in threat logs and prevents essential security patches from downloading.
The Root Cause: Microsoft CDN Misidentification
The core issue stems from Trend Micro’s Threat Intelligence incorrectly flagging IP addresses associated with Microsoft’s Content Delivery Network (CDN).
- Symptoms: Users receive repeated alerts about “blocked malicious URLs.”
- Source: Traffic originates from legitimate Microsoft domains or IPs, such as 194.36.32.207.
- Trigger: The specific file streaming service URLs used by Windows Update are being matched against a blocklist.
Reports indicate the URLs look suspicious due to their structure (containing long distinct identifiers like filestreamingservice/files/1320e66c…), but these are standard for Microsoft’s delivery optimization system.
Immediate Workaround: Enforce “Simple” Download Mode
If your organization is affected, you should not disable your antivirus. Instead, modify how Windows retrieves updates. By switching the Delivery Optimization “Download Mode” to Simple (ID 99), you force Windows to download updates directly from Microsoft’s servers over HTTP/HTTPS, bypassing the complex peering mechanisms that Trend Micro is currently misinterpreting.
You can apply this fix using one of the following methods:
Method 1: Group Policy (Recommended for Domains)
- Navigate to Computer Configuration > Administrative Templates > Windows Components > Delivery Optimization.
- Locate the policy Download Mode.
- Set the mode to Simple (99).
Method 2: Registry Editor (For Single Endpoints)
- Open the Registry Editor and navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization
- Create or modify the DWORD value named DODownloadMode.
- Set the value to 99 (Decimal).
Note: Do not use value 0 (“HTTP Only”), as value 99 is the specific standard for bypassing peering services on servers and ensuring direct CDN connection.
Verifying the Resolution
After applying the change, you must verify that the policy is active. Open an elevated PowerShell prompt and run the following command:
Get-DeliveryOptimizationStatus | Select-Object DownloadMode
The output should return Simple. Once confirmed, the blocking alerts regarding random external IPs should cease immediately. While recent reports suggest Trend Micro may have deployed a backend fix, keeping your servers on Download Mode 99 is a robust configuration for stability in server environments.