How to resolve Anti-Malware and Sandboxing false positive case

Zyxel_Jeff
Zyxel_Jeff Posts: 1,039  Zyxel Employee
First Anniversary 10 Comments Friend Collector First Answer
edited November 2022 in Security Service
Sometimes when you execute a program update such as Windows update and Antivirus software. You probably encounter a situation that Anti-Malware or Sandboxing tells you it’s a suspicious or malicious program so the firewall dropped it leading to a download error. But you are indeed confirming it’s a legitimate file, it should be a false positive case. This article will guide you on how to handle this situation.
 
How to inspect whether the file is malicious or not?

You can upload the file which is detected as suspicious or malicious by Anti-Malware or Sandboxing to virustotal ( https://www.virustotal.com/gui/home/upload) to detect the file is malicious or not.


Once the detection result of the virustotal is clear, it means it could be a potentially false positive case.


How to resolve it temporarily?

For example, when executing the Windows update, two Windows.NET programs donet-runtime-3.1.31-win- and aspnetcore-runtime-3.1.31-win were detected as suspicious programs and dropped by the firewall so we cannot run the Windows update successfully.


Sandboxing false-positive case

There are two programs that were detected as suspicious programs by Sandboxing.


MD5 hash values of each file


Add those two files’ MD5 value to Allow List in Anti-Malware (Configuration > Security Service > Anti-Malware> Block/Allow List> Allow List) to let the program update can be completed temporarily and report this false-positive case to Zyxel.


Anti-Malware false-positive case

For example, a file called amupdate.exe is detected as a malicious file by Anti-Malware while the user is executing McAfee regular update.


Add the MD5 value of the file to Allow List in Anti-Malware (Configuration > Security Service > Anti-Malware> Block/Allow List> Allow List) to let the program update can be completed temporarily and report this false-positive case to Zyxel.


How to report the false-positive case to Zyxel?

Please provide the following information to us:

(1). The screenshot of the Monitor Log, Security Statistics, or the dashboard which can display the file name and MD5 value.

(2). The screenshot of virustotal detection result.

(3). File name

(4). MD5 hash value

(5). File (such as .exe file)

(6). (If it’s an Anti-Malware false positive case...) What is the scan mode (Express, Stream, or Hybrid) and its signature version? 


Once we confirm it’s indeed a false positive case and we will fix it.