ATP100 - Anti-Malware - False Positive?

e_mano_e · June 2022

Hi,

the CDR feature of the ATP100 generated many e-mails regarding Malware from different Client computers. All client IP adresses are clients with McAfee/Trellix antivirus installed.

The log entry from the ATP100 is this:
Virus infected SSI:N Type:Anti-Malware Signature Virus:DeepScan.Generic.64beffbe File:McAfee_Common_x64.msi Protocol:HTTP

When I remember correctly the engine used for Anti-Malware on the ATP is McAfee.
So the McAfee engine founds a virus in a McAfee file. Interesting!

Is there a place where I can submit this false positive to Zyxel or McAfee?

Thanks.

Zyxel_Cooldia · June 2022

Hi @e_mano_e,
McAfee is content filter service. As for Anti-malware, it is Bitdefender.
Will this log trigger every time when update McAfee/Trellix antivirus?
Could you share the McAfee/Trellix antivirus version information ?

e_mano_e · June 2022

@Zyxel_Cooldia
McAfee shows version numbers for each module installed.

McAfee Data Exchange Layer: Version 6.0.3.646
McAfee Agent: Version 5.7.6.251
McAfee DLP Endpoint: Version 11.6.500.172
McAfee Client Proxy: Version 4.4.056
McAfee Endpoint Security Plattform: Version 10.7.0.3460
McAfee Adaptiver Bedrohungsschutz: Version 10.7.0.3590
McAfee Bedrohungsschutz: Version 10.7.0.3497

This log entry seems to be created once per day.
I've just got another customer call complaining about many CDR emails from the ATP100.
Yesterday it was another customer. Also in the morning (here in Germany).

Zyxel_Cooldia · July 2022

Hi @e_mano_e,
We are working on it, will get back to you as soon as possible.

e_mano_e · January 2023

@Zyxel_Cooldia
This problem still exists!

I just installed Trellix Endpoint Security and my ATP100 log says this:

Virus infected SSI:N Type:Anti-Malware Signature Virus:Trojan.GenericKD.c42558a9 File:McAfee_Common_x64.msi Protocol:HTTP

Under "Monitor" - "Anti-Malware" a Virus name is listed but no Hash value.
Because of the missing Hash value I was not able to add this false/positive to the allow list.
I had to disable the Anti-Malware security service.

Image: https://us.v-cdn.net/6029482/uploads/editor/58/ne95gwy8d6sy.png

The signatures are as follows:

Image: https://us.v-cdn.net/6029482/uploads/editor/zk/mxw6o3t4hsoq.png

This issue needs to be addressed now.
Thanks.

Zyxel_Cooldia · January 2023

Hi @e_mano_e,

It's pattern match, so there is no hash value for this.

You can add Trellix Endpoint Security update server's IP in IP exception list temporarily to avoid this. (CONFIGURATION > Security Service > IP Exception)

Please help us to capture packets on ATP100, we would like to check if it is false positive.

Steps

1) Click "Anti-Malware Signature" update firstly.

Image: https://us.v-cdn.net/6029482/uploads/editor/mq/ok8mqi7qen4u.png

2) Disable "Destroy infected file" temporarily.

-To avoid infected file is destroyed by firewall. please disable "Destroy infected file" temporarily to capture Trellix Endpoint Security update.

Image: https://us.v-cdn.net/6029482/uploads/editor/kc/1qgi1rjczxr3.png

3) Go to "MAINTENANCE > Diagnostics > Packets catpure", and set up filter

interface = internal interface/lan

Host IP = Text PC's IP

Image: https://us.v-cdn.net/6029482/uploads/editor/aa/c9y8h8nwtjyx.png

4) Click "Capture" to start.

5) Open Trellix Endpoint Security and run update.

6) Once it is done, click "Stop" button, and download packets file.

After completing actions above, please send me followings files in PM.

1) Screenshot on AV signature version

2) Screenshot on "MONITOR > Security Statistics > Anti-Malware".

3) Screenshot on "MONITOR > Log > View Log" for blocked Anti-malware log.
4) Packets trace file.

ATP100 - Anti-Malware - False Positive?

All Replies

Categories

Security Help Center