False malicious activities / windows update

Options
2456

All Replies

  • Systrategy
    Systrategy Posts: 3
    First Comment
    Options
    Unfortunately, this has become an issue for all our customers running ATPs (200/500), like itariant pointed out.
    We hope to see this fixed soon.
  • MarcoLuvisi
    MarcoLuvisi Posts: 12  Freshman Member
    First Anniversary Nebula Gratitude
    Options
    i know that I can add it to the whitelist but I would avoid to add things to whitelist. if a real attack-variant of Gen.Variant.Barys.413913b9 happens it would pass through the network without any block
  • Alferic
    Alferic Posts: 4
    First Anniversary First Comment
    edited July 2022
    Options
    Same here, with USG110 signature 1.0.0.20220725.0 and this is the log: 
    Virus infected Rule_id=X SSI=N Virus=A Gen.Variant.MSILHeracles.d9848e25 File=R1i0taOmKOo5ANcodkP4lSXFhFo6NnChrVWY4oKQ8KxBaYWSLC+40l7WK9Tpd Protocol=HTTP


  • MarcoLuvisi
    MarcoLuvisi Posts: 12  Freshman Member
    First Anniversary Nebula Gratitude
    edited July 2022
    Options
    Virus infected SSI:N Type:Anti-Malware Signature Virus:Gen.Variant.Barys.413913b9 File:35ab3bed-e32b-4bd1-9d46-ca69e91c7726 Protocol:HTTP

    source external ip is 209.197.3.8 that seems to be used by microsoft for CDN (updates and similar)


    IP is the same of the one that is found for the Wildcore signature

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 769  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Hi @Systrategy @MacroLuvisi @Alferic
    Thank your feedback, We will investigate these signatures as soon as possible.
    Also, Did you know what is the operation that triggers these ?
    Could you kindly provide the operation step or download link ?
    Kevin
  • MarcoLuvisi
    MarcoLuvisi Posts: 12  Freshman Member
    First Anniversary Nebula Gratitude
    Options
    it comes from various PC clients on the network but the fact that the IP is the same makes me thinkk it is skype update as indicated by previous emails
  • MarcoLuvisi
    MarcoLuvisi Posts: 12  Freshman Member
    First Anniversary Nebula Gratitude
    edited July 2022
    Options
    Virus infected SSI:N Type:Anti-Malware Signature Virus:Gen.Variant.Barys.413913b9 File:Microsoft.MicrosoftOfficeHub_18.2205.1091.0_neutral_~_8wekyb3d8 Protocol:HTTP [count=8]

    something also related to office updates or similar (MicrosoftOfficeHub)
  • MarcoLuvisi
    MarcoLuvisi Posts: 12  Freshman Member
    First Anniversary Nebula Gratitude
    Options
    it is not stopped..it is happening again even after latest signatures released yesterday night:

    2.1.3.20220727.0



  • MarcoLuvisi
    MarcoLuvisi Posts: 12  Freshman Member
    First Anniversary Nebula Gratitude
    Options
    Virus infected SSI:N Type:Anti-Malware Signature Virus:Wildcore.Virus.4a4ec363 File:6313b3e0-e981-4721-898b-52b5cd56c894 Protocol:HTTP [count=7]

  • MarcoLuvisi
    MarcoLuvisi Posts: 12  Freshman Member
    First Anniversary Nebula Gratitude
    Options
    also this one sometimes (as reported by user Gianmarco who opened the thread)

    Virus infected SSI:N Type:Anti-Malware Signature Virus:Gen.Variant.Barys.413913b9 File:AD2F1837.HPPrinterControl_137.1.291.0_neutral_~_v10z8vjag6ke6.M Protocol:HTTP

Categories

Security Highlight


Read more

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)