How does one verify that a windows update is actually a valid windows update in progress and not a malicious trojan downloading newer code?How does one identify which process (thread) has invoked Network connection to initiate a DialUp connection?How does one verify that the remote host is a valid Windows update mirror?Here's the deal, Windows Vista (pre SP1 and post SP1) automatic update enabled, Norton Live Update also enabled, and internet connection sharing enabled.A more detailed post on live journal. Here's what I have so far:After a dial up connection has been initiated, NetStat is used to identify which process have established connections. Once a process id has been obtained, process explorer is used to identify what threads are running under that process id. It is not possible to positively identify which thread owns the network connection, only that one of many threads 'might be' the thread that owns the connection. Once a remote host has been identified, whois is used to identify that host. In some cases the IP assigned to that server is a block of addresses assigned to a network access point, or an internet service provider. (I have a list from today.)In some cases it appears safe to assume that when Norton's Live update has established a connection to a known Norton server, that it most likely is a Live Update in progress. Similiarly when a BITS connection has been made to a Microsoft server, that it is safe to assume that a Windows Automatic update is in progress. Today it was observed that when the BITS connection was broken, additional servers would be interrogated; non Microsft servers.This gives the appearance of malicious software downloading updated/extended malicious code when one of the hosts in question traces back to DoubleClick, and another to EBay. I don't believe this is the result of malicious code, but what I'm discovering is there is no apparent way to positively identify the reason why a network connection has been made. A Norton anti-virus scan detects nothing beyond a few tracking cookies. Tools used: netstat, tcpview, process explorer, bitsadmin. I've only just begun to explore netsh which produces extensively detailed diagnostic logs. Since SP1 has now been installed, catching automatic update making a network connection might take several weeks, although Norton seems to activate at 12 hour intervals. With Google toolbar installed on other desktops on the LAN, it has been observed that Google toolbar will also activate a dial up connection to a google host which is expected as that was the desired configuration. Unfortunately, these connections are rarely dropped when they go idle. Note: I am slowly paging through the other posts on this forum; search doesn't help much when everyone describes this condition with different keywords.