USG110 - Where to send false positives queries?
Since a few days the USG AV scan detects a lot of viruses, but only from our 4 software development computers, running MS Visual Studio. The infected transmissions will be blocked so far.
But I'm wondering that the USG dashboard is showing nothing under "top 5 viruses".
System Log entry:
Virus infected Rule_id=7 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-5.0.12-win-x64_4922f60dcb21f8c227e2ba022138e Protocol=HTTP
We're thinking this could be a false positive. We're are presently scaning the computers with an ESET Rescue Stick for further details.
Where could we report false positives to, that the virus signatures will be updated/corrected?
0
All Replies
-
Hi @USG_User,
We can help you to report false positives.
What is your MS Visual Studio version and signature version ?0 -
H Cooldia,Thanks for your reply.In the meantime we've done further tests. Scanning the computer using an bootable Rescue AV Scan Stick (ESET) brought no positive results.Further we've updated our Visual Studio to the latest release and since then no more virus alerts appear with the 4 development computers. Only one MS Surface device, which has not been updated until now, caused to new virus alerts when started it today. It might have something to do with an automatic update check or something like this. But anyway ..., we update now the Surface as well and will see what happens tomorrow morning since the suspicious traffic occurs only once a day.USG110 Virus Signature: v1.0.0.20211110.0Affected MS Visual Studio version:Latest USG alert log of today:Virus infected Rule_id=7 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-5.0.12-win-x86_51477ce7f3a775da9aa24eb84aaff Protocol=HTTP
2021-11-11 09:27:01,2.22.147.66:80 ,192.168.51.13:58337 , crit ,anti-virus ,FILE DESTROY , wan1 ,vlan51 ,tcp , Virus infected Rule_id=7 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-3.1.21-win-x86_e9f9628bcd13460a36ef3d62f9da9 Protocol=HTTP
2021-11-11 09:27:02,2.22.147.66:80 ,192.168.51.13:58337 , crit ,anti-virus ,FILE DESTROY , wan1 ,vlan51 ,tcp , Virus infected Rule_id=7 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-3.1.21-win-x86_e9f9628bcd13460a36ef3d62f9da9 Protocol=HTTP
2021-11-11 09:27:02,2.22.147.66:80 ,192.168.51.13:58337 , crit ,anti-virus ,FILE DESTROY , wan1 ,vlan51 ,tcp , Virus infected Rule_id=7 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-3.1.21-win-x86_e9f9628bcd13460a36ef3d62f9da9 Protocol=HTTP
2021-11-11 09:27:02,2.22.147.66:80... log shortened
0 -
Hi @USG_User,Does it still have false positives on MS Surface device after update?0
-
No, since we've also updated the surface, also the USG A/V alerts for this device IP are gone. It confirms us that this was a false positive.
0 -
This night the daily log report of our USG claimed a new virus detection, but again caused by MS Visual Studio. Here is the log extract:2022-02-10 08:29:38,2.22.147.10:80 ,192.168.21.36:49827 ,crit ,anti-virus ,FILE DESTROY ,wan1 ,lan1 ,tcp ,Virus infected Rule_id=7 SSI=N Virus=Malicious Virus File=windowsdesktop-runtime-5.0.14-win-x86_02efca54f84ff00d608ae563c Protocol=HTTP 2022-02-10 08:29:39,2.22.147.10:80 ,192.168.21.36:49827 ,crit ,anti-virus ,FILE DESTROY ,wan1 ,lan1 ,tcp ,Virus infected Rule_id=7 SSI=N Virus=Malicious Virus File=windowsdesktop-runtime-5.0.14-win-x86_02efca54f84ff00d608ae563c Protocol=HTTP 2022-02-10 08:29:39,93.184.221.240:80 ,192.168.21.36:49841 ,crit ,anti-virus ,FILE DESTROY ,wan1 ,lan1 ,tcp ,Virus infected Rule_id=7 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-5.0.14-win-x86_f9c51235db94e1c7fdd032c895229 Protocol=HTTP 2022-02-10 08:29:39,93.184.221.240:80 ,192.168.21.36:49841 ,crit ,anti-virus ,FILE DESTROY ,wan1 ,lan1 ,tcp ,Virus infected Rule_id=7 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-5.0.14-win-x86_f9c51235db94e1c7fdd032c895229 Protocol=HTTP 2022-02-10 08:29:39,93.184.221.240:80 ,192.168.21.36:49841 ,crit ,anti-virus ,FILE DESTROY ,wan1 ,lan1 ,tcp ,Virus infected Rule_id=7 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-5.0.14-win-x86_f9c51235db94e1c7fdd032c895229 Protocol=HTTP 2022-02-10 08:29:43,2.22.147.10:80 ,192.168.21.36:49827 ,crit ,anti-virus ,FILE DESTROY ,wan1 ,lan1 ,tcp ,Virus infected Rule_id=7 SSI=N Virus=Malicious Virus File=windowsdesktop-runtime-5.0.14-win-x86_02efca54f84ff00d608ae563c Protocol=HTTP 2022-02-10 08:29:46,2.22.147.41:80 ,192.168.21.36:49829 ,crit ,anti-virus ,FILE DESTROY ,wan1 ,lan1 ,tcp ,Virus infected Rule_id=7 SSI=N Virus=Malicious Virus File=windowsdesktop-runtime-5.0.14-win-x86_02efca54f84ff00d608ae563c Protocol=HTTPMS Visual Studio seems to automaticaly check for updates every morning when starting the machine. But I guess, like last time in November 2021, it's a false positive. Has anybody encountered the same problems?0
-
Hi @USG_User,
What is your MS Visual Studio version? Does it hit the rule every time when you update MS Visual Studio?
0 -
Zyxel_Cooldia said:... Does it hit the rule every time when you update MS Visual Studio?
In November it did. At the moment we saw it only one time. Have to wait for the next daily USG report of this night, since the colleague is just working with Visual Studio today again.
0 -
Hi Zyxel Support Team,Recently we've updated another notebook which was offline a few days. During updating the ASP.net runtime libaries the USG detected different viruses. Here an extract from system log:2022-05-06 11:23:54,41.63.96.128:80 ,192.168.51.13:51138 , crit ,anti-virus ,FILE DESTROY , wan1 ,vlan51 ,tcp , Virus infected Rule_id=6 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-3.1.24-win-x86_c849348472b1afec66d6c87551009 Protocol=HTTP
2022-05-06 11:23:55,41.63.96.128:80 ,192.168.51.13:51138 , crit ,anti-virus ,FILE DESTROY , wan1 ,vlan51 ,tcp , Virus infected Rule_id=6 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-3.1.24-win-x86_c849348472b1afec66d6c87551009 Protocol=HTTP
2022-05-06 11:23:55,41.63.96.128:80 ,192.168.51.13:51138 , crit ,anti-virus ,FILE DESTROY , wan1 ,vlan51 ,tcp , Virus infected Rule_id=6 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-3.1.24-win-x86_c849348472b1afec66d6c87551009 Protocol=HTTP
2022-05-06 11:23:55,41.63.96.128:80 ,192.168.51.13:51138 , crit ,anti-virus ,FILE DESTROY , wan1 ,vlan51 ,tcp , Virus infected Rule_id=6 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-3.1.24-win-x86_c849348472b1afec66d6c87551009 Protocol=HTTP
2022-05-06 11:23:55,41.63.96.128:80 ,192.168.51.13:51138 , crit ,anti-virus ,FILE DESTROY , wan1 ,vlan51 ,tcp , Virus infected Rule_id=6 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-3.1.24-win-x86_c849348472b1afec66d6c87551009 Protocol=HTTP
2022-05-06 11:23:55,41.63.96.128:80 ,192.168.51.13:51138 , crit ,anti-virus ,FILE DESTROY , wan1 ,vlan51 ,tcp , Virus infected Rule_id=6 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-3.1.24-win-x86_c849348472b1afec66d6c87551009 Protocol=HTTP
2022-05-06 11:23:59,8.241.123.254:80 ,192.168.51.13:51155 , crit ,anti-virus ,FILE DESTROY , wan1 ,vlan51 ,tcp , Virus infected Rule_id=6 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-5.0.16-win-x86_b4c60a88837684f07f3b2fb9225aa Protocol=HTTP
2022-05-06 11:24:00,41.63.96.128:80 ,192.168.51.13:51138 , crit ,anti-virus ,FILE DESTROY , wan1 ,vlan51 ,tcp , Virus infected Rule_id=6 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-3.1.24-win-x86_c849348472b1afec66d6c87551009 Protocol=HTTP
2022-05-06 11:24:00,8.241.123.254:80 ,192.168.51.13:51155 , crit ,anti-virus ,FILE DESTROY , wan1 ,vlan51 ,tcp , Virus infected Rule_id=6 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-5.0.16-win-x86_b4c60a88837684f07f3b2fb9225aa Protocol=HTTP
2022-05-06 11:24:00,8.241.123.254:80 ,192.168.51.13:51155 , crit ,anti-virus ,FILE DESTROY , wan1 ,vlan51 ,tcp , Virus infected Rule_id=6 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-5.0.16-win-x86_b4c60a88837684f07f3b2fb9225aa Protocol=HTTP
2022-05-06 11:24:00,41.63.96.128:80 ,192.168.51.13:51138 , crit ,anti-virus ,FILE DESTROY , wan1 ,vlan51 ,tcp , Virus infected Rule_id=6 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-3.1.24-win-x86_c849348472b1afec66d6c87551009 Protocol=HTTP
2022-05-06 11:24:00,41.63.96.128:80 ,192.168.51.13:51138 , crit ,anti-virus ,FILE DESTROY , wan1 ,vlan51 ,tcp , Virus infected Rule_id=6 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-3.1.24-win-x86_c849348472b1afec66d6c87551009 Protocol=HTTP
2022-05-06 11:24:00,8.241.123.254:80 ,192.168.51.13:51155 , crit ,anti-virus ,FILE DESTROY , wan1 ,vlan51 ,tcp , Virus infected Rule_id=6 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-5.0.16-win-x86_b4c60a88837684f07f3b2fb9225aa Protocol=HTTP
2022-05-06 11:24:00,41.63.96.128:80 ,192.168.51.13:51138 , crit ,anti-virus ,FILE DESTROY , wan1 ,vlan51 ,tcp , Virus infected Rule_id=6 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-3.1.24-win-x86_c849348472b1afec66d6c87551009 Protocol=HTTP
2022-05-06 11:24:00,41.63.96.128:80 ,192.168.51.13:51138 , crit ,anti-virus ,FILE DESTROY , wan1 ,vlan51 ,tcp , Virus infected Rule_id=6 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-3.1.24-win-x86_c849348472b1afec66d6c87551009 Protocol=HTTP
2022-05-06 11:24:00,41.63.96.128:80 ,192.168.51.13:51138 , crit ,anti-virus ,FILE DESTROY , wan1 ,vlan51 ,tcp , Virus infected Rule_id=6 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-3.1.24-win-x86_c849348472b1afec66d6c87551009 Protocol=HTTP
2022-05-06 11:24:00,41.63.96.128:80 ,192.168.51.13:51138 , crit ,anti-virus ,FILE DESTROY , wan1 ,vlan51 ,tcp , Virus infected Rule_id=6 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-3.1.24-win-x86_c849348472b1afec66d6c87551009 Protocol=HTTP
2022-05-06 11:24:00,8.241.123.254:80 ,192.168.51.13:51155 , crit ,anti-virus ,FILE DESTROY , wan1 ,vlan51 ,tcp , Virus infected Rule_id=6 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-5.0.16-win-x86_b4c60a88837684f07f3b2fb9225aa Protocol=HTTP
2022-05-06 11:24:00,8.241.123.254:80 ,192.168.51.13:51155 , crit ,anti-virus ,FILE DESTROY , wan1 ,vlan51 ,tcp , Virus infected Rule_id=6 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-5.0.16-win-x86_b4c60a88837684f07f3b2fb9225aa Protocol=HTTP
2022-05-06 11:24:00,41.63.96.128:80 ,192.168.51.13:51138 , crit ,anti-virus ,FILE DESTROY , wan1 ,vlan51 ,tcp , Virus infected Rule_id=6 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-3.1.24-win-x86_c849348472b1afec66d6c87551009 Protocol=HTTP
2022-05-06 11:24:00,8.241.123.254:80 ,192.168.51.13:51155 , crit ,anti-virus ,FILE DESTROY , wan1 ,vlan51 ,tcp , Virus infected Rule_id=6 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-5.0.16-win-x86_b4c60a88837684f07f3b2fb9225aa Protocol=HTTP
2022-05-06 11:24:00,8.241.123.254:80 ,192.168.51.13:51155 , crit ,anti-virus ,FILE DESTROY , wan1 ,vlan51 ,tcp , Virus infected Rule_id=6 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-5.0.16-win-x86_b4c60a88837684f07f3b2fb9225aa Protocol=HTTP
2022-05-06 11:24:00,8.241.123.254:80 ,192.168.51.13:51155 , crit ,anti-virus ,FILE DESTROY , wan1 ,vlan51 ,tcp , Virus infected Rule_id=6 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-5.0.16-win-x86_b4c60a88837684f07f3b2fb9225aa Protocol=HTTP
2022-05-06 11:24:00,41.63.96.128:80 ,192.168.51.13:51138 , crit ,anti-virus ,FILE DESTROY , wan1 ,vlan51 ,tcp , Virus infected Rule_id=6 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-3.1.24-win-x86_c849348472b1afec66d6c87551009 Protocol=HTTP
2022-05-06 11:24:02,8.241.123.254:80 ,192.168.51.13:51155 , crit ,anti-virus ,FILE DESTROY , wan1 ,vlan51 ,tcp , Virus infected Rule_id=6 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-5.0.16-win-x86_b4c60a88837684f07f3b2fb9225aa Protocol=HTTP
2022-05-06 11:24:13,40.74.32.69:4500It's always the same as described in my former posts above and always connected with updating our MS Visual Studio.
0 -
Hi @USG_User,In order to further investigate on this issue, we need to get BDSys log for further analyzing.Please follow the link below to run BDSys scan on Windows and send me bdsyslog.zip archive file in PM.BDsysLog scan utility:0
-
Hi Cooldia,We've carried out the BDSys Scan which has created a bdsyslog.zip file after thoroughly scanning the entire machine. But before we could share it with you, we would like to countercheck the content of the collected data since we are residing in EU and are not allowed by GDPR to share sensitive or personal data! Unfortunately this zip file (containing a json file) is protected by a password which is not a confidence-building measure. The user should always be enabled to check its own data! Could you provide the password? Or do you have to forward our file to BitDefender for investigation? This would be a no-go if such data being forwarded to a third party.edit 12 MayToday MS published new Windows updates which will be installed automatically here with us. And today the USG reports a new virus alert, but this time another computer is affected which has MS Visual Studio not installed.But this MS Windows Update contains an update of the .NET Framework2022-05-12 07:35:05,2.23.176.188:80 ,192.168.21.33:50009 , crit ,anti-virus ,FILE DESTROY , wan1 ,lan1 ,tcp , Virus infected Rule_id=6 SSI=N Virus=Malicious Virus File=dotnet-runtime-5.0.17-win-x64_f204eb09203562b5b5a0ba3292fede9c1 Protocol=HTTPI've checked the source IP 2.23.176.188 and it seems it belongs to Akamai Technologies which is part of many update processes. Has anybody an idea?
0
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.5K Security
- 216 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 243 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight