False malicious activities / windows update

Options
Hi, one of my customers received two alerts "Collaborative Detect & Response found malicious activities"

Checking the details, they look like Windows Updates, coming from a Redmond IP.

13.107.12.50 80 192.168.xxxxx 50884 FILE DESTROY unknown Gen.Variant.MSILHeracles.d9848e25 AD2F1837.HPPrinterControl_137.1.291.0_neutral_~_v10z8vjag6ke6.M


13.107.4.50 80 192.168.xxxxx 50859 FILE DESTROY unknown Wildcore.Virus.4a4ec363 Microsoft.SkypeApp_15.86.3409.0_neutral_~_kzf8qxf38zg5c.Msixbun

FIREWALL FW-ATP700 / Nebula Managed. 
firmware  V5.30(ABTJ.0)

AntiMalware Signature Information
Current Version:
2.1.3.20220724.0
Released Date:
2022-07-24 19:46 (UTC+02:00)

«13456

All Replies

  • itariant
    itariant Posts: 15  Freshman Member
    First Anniversary 10 Comments
    Options
    it's happening to my customers with ATP 200/500 too



  • xkp68
    xkp68 Posts: 26  Freshman Member
    First Anniversary First Comment
    Options
    Same here , on a fresh windows 10 installation running windows update.
  • Notarmic
    Notarmic Posts: 4
    First Anniversary First Comment
    Options
    Yes, I also receive many alerts
    i think i will deactivate the CDR
  • Notarmic
    Notarmic Posts: 4
    First Anniversary First Comment
    Options
    the problem is that the CDR makes a DESTROY FILE
    and this could in my opinion create problems for microsoft update
  • Notarmic
    Notarmic Posts: 4
    First Anniversary First Comment
    Options
    I write to Zyxel support and they told me it is skype update
    have reported the problem to the antimalware manufacturer
  • e_mano_e
    e_mano_e Posts: 86  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    @Notarmic: How have you reported the problem to the antimalware manufacturer?
    Is there a special website available where one can report false positives?
  • WJS
    WJS Posts: 143  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    I have issue before. But I noticed that log does not happen anymore.
    I have signature version 2.1.3.20220725.0 .
    Do you all still have the issue after install latest signature?
  • Zyxel_Kevin
    Zyxel_Kevin Posts: 797  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited July 2022
    Options
    The Signature Virus will be excluded in the next signature version.
    Thank you all for your feedback.
    Kevin
  • MarcoLuvisi
    MarcoLuvisi Posts: 12  Freshman Member
    First Anniversary Nebula Gratitude
    edited July 2022
    Options
    just updated the signature this morning and now the Gen.Variant.MSILHeracles.d9848e25 has stopped but now we have this new one:

    Gen.Variant.Barys.413913b9

    and we still have this one:

    Wildcore.Virus.4a4ec363

    Virus infected SSI:N Type:Anti-Malware Signature Virus:Wildcore.Virus.4a4ec363 File:Microsoft.SkypeApp_15.86.3409.0_neutral_~_kzf8qxf38zg5c.Ms

    signature now is: 2.1.3.20220726.0

    is this going to be fixed with the next signature update? these issues happened already 2-3 times to our clients with ATP and CDR enabled (and to be conservative we usually configure CDR-Malware detection to BLOCK clients network communication so when this happens clients' PC are blocked and cannot work). please fix these issues or change malware definitions manufacturer cause clients' trust into Zyxel products is falling down due to that and various vulnerabilities that are continuosly discovered





  • Zyxel_Kevin
    Zyxel_Kevin Posts: 797  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    The Virus signature "Wildcore.Virus.4a4ec363" will be removed in the next signature version. 
    For the virus "Gen.Variant.Barys.413913b9" . You can add the whilelist for it if it impact the service.

    And provide the entire packets for us when you try to reproduce it. Thank you
    Kevin

Security Highlight