USG110 - Where to send false positives queries?

USG_User
USG_User Posts: 374  Master Member
5 Answers First Comment Friend Collector Sixth Anniversary
edited November 2021 in Security
Since a few days the USG AV scan detects a lot of viruses, but only from our 4 software development computers, running MS Visual Studio. The infected transmissions will be blocked so far.
But I'm wondering that the USG dashboard is showing nothing under "top 5 viruses".

System Log entry:
Virus infected Rule_id=7 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-5.0.12-win-x64_4922f60dcb21f8c227e2ba022138e Protocol=HTTP

We're thinking this could be a false positive. We're are presently scaning the computers with an ESET Rescue Stick for further details.

Where could we report false positives to, that the virus signatures will be updated/corrected?

«1

All Replies

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    Hi @USG_User,
    We can help you to report false positives.
    What is your MS Visual Studio version and signature version ?
  • USG_User
    USG_User Posts: 374  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    H Cooldia,

    Thanks for your reply.

    In the meantime we've done further tests. Scanning the computer using an bootable Rescue AV Scan Stick (ESET) brought no positive results.
    Further we've updated our Visual Studio to the latest release and since then no more virus alerts appear with the 4 development computers. Only one MS Surface device, which has not been updated until now, caused to new virus alerts when started it today. It might have something to do with an automatic update check or something like this. But anyway ..., we update now the Surface as well and will see what happens tomorrow morning since the suspicious traffic occurs only once a day.

    USG110 Virus Signature:     v1.0.0.20211110.0

    Affected MS Visual Studio version:


    Latest USG alert log of today:

    Virus infected Rule_id=7 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-5.0.12-win-x86_51477ce7f3a775da9aa24eb84aaff Protocol=HTTP
    2021-11-11 09:27:01,2.22.147.66:80                                  ,192.168.51.13:58337                             ,     crit               ,anti-virus            ,FILE DESTROY         ,     wan1               ,vlan51                ,tcp                  ,     Virus infected Rule_id=7 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-3.1.21-win-x86_e9f9628bcd13460a36ef3d62f9da9 Protocol=HTTP
    2021-11-11 09:27:02,2.22.147.66:80                                  ,192.168.51.13:58337                             ,     crit               ,anti-virus            ,FILE DESTROY         ,     wan1               ,vlan51                ,tcp                  ,     Virus infected Rule_id=7 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-3.1.21-win-x86_e9f9628bcd13460a36ef3d62f9da9 Protocol=HTTP
    2021-11-11 09:27:02,2.22.147.66:80                                  ,192.168.51.13:58337                             ,     crit               ,anti-virus            ,FILE DESTROY         ,     wan1               ,vlan51                ,tcp                  ,     Virus infected Rule_id=7 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-3.1.21-win-x86_e9f9628bcd13460a36ef3d62f9da9 Protocol=HTTP
    2021-11-11 09:27:02,2.22.147.66:80
    ... log shortened

     



  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    Does it still have false positives on MS Surface device after update?
  • USG_User
    USG_User Posts: 374  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    No, since we've also updated the surface, also the USG A/V alerts for this device IP are gone. It confirms us that this was a false positive.
  • USG_User
    USG_User Posts: 374  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    This night the daily log report of our USG claimed a new virus detection, but again caused by MS Visual Studio. Here is the log extract:

    2022-02-10 08:29:38,2.22.147.10:80 ,192.168.21.36:49827 ,crit ,anti-virus ,FILE DESTROY ,wan1 ,lan1 ,tcp ,Virus infected Rule_id=7 SSI=N Virus=Malicious Virus File=windowsdesktop-runtime-5.0.14-win-x86_02efca54f84ff00d608ae563c Protocol=HTTP 2022-02-10 08:29:39,2.22.147.10:80 ,192.168.21.36:49827 ,crit ,anti-virus ,FILE DESTROY ,wan1 ,lan1 ,tcp ,Virus infected Rule_id=7 SSI=N Virus=Malicious Virus File=windowsdesktop-runtime-5.0.14-win-x86_02efca54f84ff00d608ae563c Protocol=HTTP 2022-02-10 08:29:39,93.184.221.240:80 ,192.168.21.36:49841 ,crit ,anti-virus ,FILE DESTROY ,wan1 ,lan1 ,tcp ,Virus infected Rule_id=7 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-5.0.14-win-x86_f9c51235db94e1c7fdd032c895229 Protocol=HTTP 2022-02-10 08:29:39,93.184.221.240:80 ,192.168.21.36:49841 ,crit ,anti-virus ,FILE DESTROY ,wan1 ,lan1 ,tcp ,Virus infected Rule_id=7 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-5.0.14-win-x86_f9c51235db94e1c7fdd032c895229 Protocol=HTTP 2022-02-10 08:29:39,93.184.221.240:80 ,192.168.21.36:49841 ,crit ,anti-virus ,FILE DESTROY ,wan1 ,lan1 ,tcp ,Virus infected Rule_id=7 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-5.0.14-win-x86_f9c51235db94e1c7fdd032c895229 Protocol=HTTP 2022-02-10 08:29:43,2.22.147.10:80 ,192.168.21.36:49827 ,crit ,anti-virus ,FILE DESTROY ,wan1 ,lan1 ,tcp ,Virus infected Rule_id=7 SSI=N Virus=Malicious Virus File=windowsdesktop-runtime-5.0.14-win-x86_02efca54f84ff00d608ae563c Protocol=HTTP 2022-02-10 08:29:46,2.22.147.41:80 ,192.168.21.36:49829 ,crit ,anti-virus ,FILE DESTROY ,wan1 ,lan1 ,tcp ,Virus infected Rule_id=7 SSI=N Virus=Malicious Virus File=windowsdesktop-runtime-5.0.14-win-x86_02efca54f84ff00d608ae563c Protocol=HTTP

    MS Visual Studio seems to automaticaly check for updates every morning when starting the machine. But I guess, like last time in November 2021, it's a false positive. Has anybody encountered the same problems?
  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    Hi @USG_User,
    What is your MS Visual Studio version? Does it hit the rule every time when you update MS Visual Studio?


  • USG_User
    USG_User Posts: 374  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary

    ... Does it hit the rule every time when you update MS Visual Studio?



    In November it did. At the moment we saw it only one time. Have to wait for the next daily USG report of this night, since the colleague is just working with Visual Studio today again.

  • USG_User
    USG_User Posts: 374  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    Hi Zyxel Support Team,
    Recently we've updated another notebook which was offline a few days. During updating the ASP.net runtime libaries the USG detected different viruses. Here an extract from system log:

    2022-05-06 11:23:54,41.63.96.128:80                                 ,192.168.51.13:51138                             ,     crit               ,anti-virus            ,FILE DESTROY         ,     wan1               ,vlan51                ,tcp                  ,     Virus infected Rule_id=6 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-3.1.24-win-x86_c849348472b1afec66d6c87551009 Protocol=HTTP
    2022-05-06 11:23:55,41.63.96.128:80                                 ,192.168.51.13:51138                             ,     crit               ,anti-virus            ,FILE DESTROY         ,     wan1               ,vlan51                ,tcp                  ,     Virus infected Rule_id=6 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-3.1.24-win-x86_c849348472b1afec66d6c87551009 Protocol=HTTP
    2022-05-06 11:23:55,41.63.96.128:80                                 ,192.168.51.13:51138                             ,     crit               ,anti-virus            ,FILE DESTROY         ,     wan1               ,vlan51                ,tcp                  ,     Virus infected Rule_id=6 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-3.1.24-win-x86_c849348472b1afec66d6c87551009 Protocol=HTTP
    2022-05-06 11:23:55,41.63.96.128:80                                 ,192.168.51.13:51138                             ,     crit               ,anti-virus            ,FILE DESTROY         ,     wan1               ,vlan51                ,tcp                  ,     Virus infected Rule_id=6 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-3.1.24-win-x86_c849348472b1afec66d6c87551009 Protocol=HTTP
    2022-05-06 11:23:55,41.63.96.128:80                                 ,192.168.51.13:51138                             ,     crit               ,anti-virus            ,FILE DESTROY         ,     wan1               ,vlan51                ,tcp                  ,     Virus infected Rule_id=6 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-3.1.24-win-x86_c849348472b1afec66d6c87551009 Protocol=HTTP
    2022-05-06 11:23:55,41.63.96.128:80                                 ,192.168.51.13:51138                             ,     crit               ,anti-virus            ,FILE DESTROY         ,     wan1               ,vlan51                ,tcp                  ,     Virus infected Rule_id=6 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-3.1.24-win-x86_c849348472b1afec66d6c87551009 Protocol=HTTP
    2022-05-06 11:23:59,8.241.123.254:80                                ,192.168.51.13:51155                             ,     crit               ,anti-virus            ,FILE DESTROY         ,     wan1               ,vlan51                ,tcp                  ,     Virus infected Rule_id=6 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-5.0.16-win-x86_b4c60a88837684f07f3b2fb9225aa Protocol=HTTP
    2022-05-06 11:24:00,41.63.96.128:80                                 ,192.168.51.13:51138                             ,     crit               ,anti-virus            ,FILE DESTROY         ,     wan1               ,vlan51                ,tcp                  ,     Virus infected Rule_id=6 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-3.1.24-win-x86_c849348472b1afec66d6c87551009 Protocol=HTTP
    2022-05-06 11:24:00,8.241.123.254:80                                ,192.168.51.13:51155                             ,     crit               ,anti-virus            ,FILE DESTROY         ,     wan1               ,vlan51                ,tcp                  ,     Virus infected Rule_id=6 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-5.0.16-win-x86_b4c60a88837684f07f3b2fb9225aa Protocol=HTTP
    2022-05-06 11:24:00,8.241.123.254:80                                ,192.168.51.13:51155                             ,     crit               ,anti-virus            ,FILE DESTROY         ,     wan1               ,vlan51                ,tcp                  ,     Virus infected Rule_id=6 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-5.0.16-win-x86_b4c60a88837684f07f3b2fb9225aa Protocol=HTTP
    2022-05-06 11:24:00,41.63.96.128:80                                 ,192.168.51.13:51138                             ,     crit               ,anti-virus            ,FILE DESTROY         ,     wan1               ,vlan51                ,tcp                  ,     Virus infected Rule_id=6 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-3.1.24-win-x86_c849348472b1afec66d6c87551009 Protocol=HTTP
    2022-05-06 11:24:00,41.63.96.128:80                                 ,192.168.51.13:51138                             ,     crit               ,anti-virus            ,FILE DESTROY         ,     wan1               ,vlan51                ,tcp                  ,     Virus infected Rule_id=6 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-3.1.24-win-x86_c849348472b1afec66d6c87551009 Protocol=HTTP
    2022-05-06 11:24:00,8.241.123.254:80                                ,192.168.51.13:51155                             ,     crit               ,anti-virus            ,FILE DESTROY         ,     wan1               ,vlan51                ,tcp                  ,     Virus infected Rule_id=6 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-5.0.16-win-x86_b4c60a88837684f07f3b2fb9225aa Protocol=HTTP
    2022-05-06 11:24:00,41.63.96.128:80                                 ,192.168.51.13:51138                             ,     crit               ,anti-virus            ,FILE DESTROY         ,     wan1               ,vlan51                ,tcp                  ,     Virus infected Rule_id=6 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-3.1.24-win-x86_c849348472b1afec66d6c87551009 Protocol=HTTP
    2022-05-06 11:24:00,41.63.96.128:80                                 ,192.168.51.13:51138                             ,     crit               ,anti-virus            ,FILE DESTROY         ,     wan1               ,vlan51                ,tcp                  ,     Virus infected Rule_id=6 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-3.1.24-win-x86_c849348472b1afec66d6c87551009 Protocol=HTTP
    2022-05-06 11:24:00,41.63.96.128:80                                 ,192.168.51.13:51138                             ,     crit               ,anti-virus            ,FILE DESTROY         ,     wan1               ,vlan51                ,tcp                  ,     Virus infected Rule_id=6 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-3.1.24-win-x86_c849348472b1afec66d6c87551009 Protocol=HTTP
    2022-05-06 11:24:00,41.63.96.128:80                                 ,192.168.51.13:51138                             ,     crit               ,anti-virus            ,FILE DESTROY         ,     wan1               ,vlan51                ,tcp                  ,     Virus infected Rule_id=6 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-3.1.24-win-x86_c849348472b1afec66d6c87551009 Protocol=HTTP
    2022-05-06 11:24:00,8.241.123.254:80                                ,192.168.51.13:51155                             ,     crit               ,anti-virus            ,FILE DESTROY         ,     wan1               ,vlan51                ,tcp                  ,     Virus infected Rule_id=6 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-5.0.16-win-x86_b4c60a88837684f07f3b2fb9225aa Protocol=HTTP
    2022-05-06 11:24:00,8.241.123.254:80                                ,192.168.51.13:51155                             ,     crit               ,anti-virus            ,FILE DESTROY         ,     wan1               ,vlan51                ,tcp                  ,     Virus infected Rule_id=6 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-5.0.16-win-x86_b4c60a88837684f07f3b2fb9225aa Protocol=HTTP
    2022-05-06 11:24:00,41.63.96.128:80                                 ,192.168.51.13:51138                             ,     crit               ,anti-virus            ,FILE DESTROY         ,     wan1               ,vlan51                ,tcp                  ,     Virus infected Rule_id=6 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-3.1.24-win-x86_c849348472b1afec66d6c87551009 Protocol=HTTP
    2022-05-06 11:24:00,8.241.123.254:80                                ,192.168.51.13:51155                             ,     crit               ,anti-virus            ,FILE DESTROY         ,     wan1               ,vlan51                ,tcp                  ,     Virus infected Rule_id=6 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-5.0.16-win-x86_b4c60a88837684f07f3b2fb9225aa Protocol=HTTP
    2022-05-06 11:24:00,8.241.123.254:80                                ,192.168.51.13:51155                             ,     crit               ,anti-virus            ,FILE DESTROY         ,     wan1               ,vlan51                ,tcp                  ,     Virus infected Rule_id=6 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-5.0.16-win-x86_b4c60a88837684f07f3b2fb9225aa Protocol=HTTP
    2022-05-06 11:24:00,8.241.123.254:80                                ,192.168.51.13:51155                             ,     crit               ,anti-virus            ,FILE DESTROY         ,     wan1               ,vlan51                ,tcp                  ,     Virus infected Rule_id=6 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-5.0.16-win-x86_b4c60a88837684f07f3b2fb9225aa Protocol=HTTP
    2022-05-06 11:24:00,41.63.96.128:80                                 ,192.168.51.13:51138                             ,     crit               ,anti-virus            ,FILE DESTROY         ,     wan1               ,vlan51                ,tcp                  ,     Virus infected Rule_id=6 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-3.1.24-win-x86_c849348472b1afec66d6c87551009 Protocol=HTTP
    2022-05-06 11:24:02,8.241.123.254:80                                ,192.168.51.13:51155                             ,     crit               ,anti-virus            ,FILE DESTROY         ,     wan1               ,vlan51                ,tcp                  ,     Virus infected Rule_id=6 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-5.0.16-win-x86_b4c60a88837684f07f3b2fb9225aa Protocol=HTTP
    2022-05-06 11:24:13,40.74.32.69:4500                  


    It's always the same as described in my former posts above and always connected with updating our MS Visual Studio.


  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments

    In order to further investigate on this issue, we need to get BDSys log for further analyzing.
    Please follow the link below to run BDSys scan on Windows and send me bdsyslog.zip archive file in PM.
    BDsysLog scan utility:
  • USG_User
    USG_User Posts: 374  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    edited May 2022
    Hi Cooldia,
    We've carried out the BDSys Scan which has created a bdsyslog.zip file after thoroughly scanning the entire machine. But before we could share it with you, we would like to countercheck the content of the collected data since we are residing in EU and are not allowed by GDPR to share sensitive or personal data! Unfortunately this zip file (containing a json file) is protected by a password which is not a confidence-building measure. The user should always be enabled to check its own data! Could you provide the password? Or do you have to forward our file to BitDefender for investigation? This would be a no-go if such data being forwarded to a third party.

    edit 12 May
    Today MS published new Windows updates which will be installed automatically here with us. And today the USG reports a new virus alert, but this time another computer is affected which has MS Visual Studio not installed.
    But this MS Windows Update contains an update of the .NET Framework

    2022-05-12 07:35:05,2.23.176.188:80                                 ,192.168.21.33:50009                             ,     crit               ,anti-virus            ,FILE DESTROY         ,     wan1               ,lan1                  ,tcp                  ,     Virus infected Rule_id=6 SSI=N Virus=Malicious Virus File=dotnet-runtime-5.0.17-win-x64_f204eb09203562b5b5a0ba3292fede9c1 Protocol=HTTP

    I've checked the source IP 2.23.176.188 and it seems it belongs to Akamai Technologies which is part of many update processes. Has anybody an idea?

Security Highlight