Sandbox false positive .NET 6.0.1 & 7.0.5 Update

Options
Dexta
Dexta Posts: 12
First Anniversary Friend Collector First Comment

It seems, that the sandbox has a false positive on the windows update for the .net applications once again.

SUSPICIOUS infected SSI:N File:dotnet-runtime-6.0.16-win-x64_9525ba632a628128ec7113ac9d34fe1c2 Protocol:HTTP

Hash Value: 5a44d8accd7e7ed333940f4600919f53

SUSPICIOUS infected SSI:N File:windowsdesktop-runtime-7.0.5-win-x64_5b4232eed009e6b66c64a6096b Protocol:HTTP

Hash Value: 13395bd3897467c7f9f9303d197e70fd

Is there no way to whitelist certain files or URL's?

Kind regards,

Michael

«1

All Replies

  • jurusam
    jurusam Posts: 6
    First Comment
    Options

    Me too…
    … and >600 emails with CDR !!!!

    #

    File name

    hash

    Type

    Occurences

    Update time

    1

    windowsdesktop-runtime-6.0.16-win-x64_b5158efdf04bc521d4d4f0618

    5107b5f5a31e086796446ed3df572838

    Suspicious

    194

    2023-04-12 09:59

    2

    dotnet-runtime-6.0.16-win-x64_9525ba632a628128ec7113ac9d34fe1c2

    5a44d8accd7e7ed333940f4600919f53

    Suspicious

    340

    2023-04-12 08:48

    3

    aspnetcore-runtime-6.0.16-win-x64_3f06ad4f7609c3ecf37803e7576be

    e54dd2b8961f1673896c7ce106bd91ae

    Suspicious

    28

    2023-04-12 08:32

    4

    dotnet-hosting-7.0.5-win_c12bb335682504f51512e4434bb7fda331a0cc

    e1cb42132192939ae486b3758462738c

    Suspicious

    1

    2023-04-12 07:30

    5

    windowsdesktop-runtime-7.0.5-win-x64_5b4232eed009e6b66c64a6096b

    13395bd3897467c7f9f9303d197e70fd

    Suspicious

    1

    2023-04-12 07:30

    6

    aspnetcore-runtime-7.0.5-win-x64_bd5b7e737025d237bec869f71c97df

    c9175d4d5c24892631c4e6c228403172

    Suspicious

    1

    2023-04-12 07:30

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,104  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @Dexta and @jurusam

    Thanks for reporting this case to us. Please add the issued hash value to Anti-Malware's allow list now. You can refer to this FAQ article for guidance. We will check those false positive detection cases internally, I will keep updating this discussion.

  • Dexta
    Dexta Posts: 12
    First Anniversary Friend Collector First Comment
    Options

    Dear @Zyxel_Jeff

    Thanks for the fast reply. I assume it works the same for on Nebula?

    This happens after every patchday from microsoft with the .net-Update. Isn't it possible for you to update your database after every patchday?

    Kind regards,

    Michael

  • USG_User
    USG_User Posts: 369  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited April 2023
    Options

    The problem is that it will reappear again and again on each MS patchday since the .NET or Windows desktop runtimes change its release numbers (and connected hash values) very often. It is no solution to let the user adding any hash values to the "allow list" subsequently every time.

    We encountered this behaviour also for months. Fortunately it's gone with us since we have upgraded from our old USG110 to an USG Flex 700. But other user still report about this issue also with an USG Flex. Don't know what it depends on.

  • mMontana
    mMontana Posts: 1,342  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    The "sometimes" seems such more "every update pulled by Microsoft".

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,104  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @Dexta

    The Nebula firewall may also experience this phenomenon. A temporary workaround solution is to add the file pattern to the allow list and inform us of any false positive detections. Thanks.

  • Dexta
    Dexta Posts: 12
    First Anniversary Friend Collector First Comment
    Options

    Hi @Zyxel_Jeff

    Thanks for the help. Are there any plans to update the database on windowspatch day? I does not make sense for the users to report these false positives because they are going to happen on every patchday.

    Kind regards,
    Michael

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,104  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @Dexta and @jurusam

    May we know what USG Flex or ATP series model you are using? Did this false positive detection appear on Sandboxing only or on Anti-Malware as well? If so, what is your signature version of Antil-Malware? What is the Scan Mode for Anti-Malware? Is it Express Mode, Stream Mode, or Hybrid Mode? Could you share screenshots of the setting page and historical Monitor Log messages of false positive detection with us? It's easier for us to check your situation.

    Anti-Malware setting page example:

    Sandboxing setting page example:

    Thank you!

  • Dexta
    Dexta Posts: 12
    First Anniversary Friend Collector First Comment
    Options

    Dear @Zyxel_Jeff

    We are using ATP500 and it's only the sandboxing. Attached you find the screenshots.
    Settings:

    Report from the week of the MS patch day in february:

    Secureporter History from MS Patch day this month:

    I did not include the Report from the March Patch day because the new weekly report from SecuReporter does not show the hash values anymore and in the reporter it self we can go back by maximum 30 days.

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,104  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @Dexta

    Thanks for sharing the helpful information with us.

Security Highlight