ATP100 - Anti-Malware - False Positive?

Options
e_mano_e
e_mano_e Posts: 86  Ally Member
First Anniversary 10 Comments Friend Collector First Answer
Hi,

the CDR feature of the ATP100 generated many e-mails regarding Malware from different Client computers. All client IP adresses are clients with McAfee/Trellix antivirus installed.

The log entry from the ATP100 is this:
Virus infected SSI:N Type:Anti-Malware Signature Virus:DeepScan.Generic.64beffbe File:McAfee_Common_x64.msi Protocol:HTTP

When I remember correctly the engine used for Anti-Malware on the ATP is McAfee.
So the McAfee engine founds a virus in a McAfee file. Interesting!

Is there a place where I can submit this false positive to Zyxel or McAfee?

Thanks.

All Replies

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,462  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Hi @e_mano_e,
    McAfee is content filter service. As for Anti-malware, it is Bitdefender.
    Will this log trigger every time when update McAfee/Trellix antivirus?
    Could you share the 
    McAfee/Trellix antivirus version information ?
  • e_mano_e
    e_mano_e Posts: 86  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    @Zyxel_Cooldia
    McAfee shows version numbers for each module installed.

    McAfee Data Exchange Layer: Version 6.0.3.646
    McAfee Agent: Version 5.7.6.251
    McAfee DLP Endpoint: Version 11.6.500.172
    McAfee Client Proxy: Version 4.4.056
    McAfee Endpoint Security Plattform: Version 10.7.0.3460
    McAfee Adaptiver Bedrohungsschutz: Version 10.7.0.3590
    McAfee Bedrohungsschutz: Version 10.7.0.3497

    This log entry seems to be created once per day.
    I've just got another customer call complaining about many CDR emails from the ATP100.
    Yesterday it was another customer. Also in the morning (here in Germany).

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,462  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Hi @e_mano_e,
    We are working on it, will get back to you as soon as possible.

  • e_mano_e
    e_mano_e Posts: 86  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    @Zyxel_Cooldia
    This problem still exists!

    I just installed Trellix Endpoint Security and my ATP100 log says this:

    Virus infected SSI:N Type:Anti-Malware Signature Virus:Trojan.GenericKD.c42558a9 File:McAfee_Common_x64.msi Protocol:HTTP

    Under "Monitor" - "Anti-Malware" a Virus name is listed but no Hash value.
    Because of the missing Hash value I was not able to add this false/positive to the allow list.
    I had to disable the Anti-Malware security service.



    The signatures are as follows:




    This issue needs to be addressed now.
    Thanks.
  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,462  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    It's pattern match, so there is no hash value for this.
    You can add Trellix Endpoint Security update server's IP in IP exception list temporarily to avoid this. (CONFIGURATION > Security Service > IP Exception)
    Please help us to capture packets on ATP100, we would like to check if it is false positive.

    Steps
    1) Click "Anti-Malware Signature" update firstly.

    2) Disable "Destroy infected file" temporarily.
       -To avoid infected file is destroyed by firewall. please disable "Destroy infected file" temporarily to capture Trellix Endpoint Security update.
     
    3) Go to "MAINTENANCE > Diagnostics > Packets catpure", and set up filter
       interface = internal interface/lan
       Host IP = Text PC's IP

    4) Click "Capture" to start.
    5) Open Trellix Endpoint Security and run update.
    6) Once it is done, click "Stop" button, and download packets file.

    After completing actions above, please send me followings files in PM.
    1) Screenshot on AV signature version
    2) Screenshot on "MONITOR > Security Statistics > Anti-Malware".
    3) Screenshot on "MONITOR > Log > View Log" for blocked Anti-malware log.
    4) Packets trace file.


Security Highlight