Getting pummelled by CDR reports of MSILHeracles download attempts from several of my ATPs

Options
ChipConnJohn
ChipConnJohn Posts: 44  Freshman Member
First Anniversary 10 Comments Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula

It appears to be an old issue that happened in 2022 too, if these are indeed false positives.

I can't quite tell if it's a false positive though. The two files I've seen it block are:
AD2F1837.HPPrinterControl_145.1.1083.0_neutral_~_v10z8vjag6ke6
and
ccdeecee-9152-46a2-a8ca-5e4458eb35a5

These look like Windows Update files, but the IP addresses are not things I necessarily recognize.

Anyone else seeing this?

«1

All Replies

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 755  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @ChipConnJohn ,

    Greeting Forum, please kindly the below inforamtion and send me by private message.

    (1). The detected file (if you have)
    (2). Collect the bdsyslog.zip file on their PC :
    STEP1. Download the BDSysLog_i.exe file :
    https://download.bitdefender.com/supporttools/bdsyslog/v2/BDSysLog_i.exe
    STEP2. Collect the bdsyslog file for us:
    https://www.bitdefender.com/consumer/support/answer/1922/

    Thank you

  • ChipConnJohn
    ChipConnJohn Posts: 44  Freshman Member
    First Anniversary 10 Comments Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula
    Options

    Hello,

    The firewall is blocking attempts to download these files and I don't see any place the firewall is holding the files in quarantine. Not sure how to get a copy of the files at that point.

    I have SentinelOne and BlackPoint running on every machine that is triggering the download. I've done scans of those machines using S1 and nothing has been found.

    Do you have a sandbox environment you can download these files to?

  • MBS
    MBS Posts: 3
    First Anniversary First Comment
    Options

    I had the same message ATP100.

    It ends when I uninstalled HP printer update program.

  • OTADMIN
    OTADMIN Posts: 15  Freshman Member
    First Anniversary 10 Comments Friend Collector
    Options

    We have the same problem.

    It looks like the updates are comming from users who have HP printers at home, and the software is installed when they work from home with the printer.
    When they are back at the office the messages starting to pop-up.


    Uninstalling the HP update program might work, but I try to keep the workstations up-to-date so uninstalling the update program is not the first solution on my list.

    It is on multiple versions of the HPPrinterControl software

    1. Gen.Variant.MSILHeracles.cf775202 ⇒ AD2F1837.HPPrinterControl_144.1.1068.0_neutral_~_v10z8vjag6ke6
    2. Gen.Variant.MSILHeracles.da651960 ⇒ AD2F1837.HPPrinterControl_145.1.1083.0_neutral_~_v10z8vjag6ke6

    It's not possible to whitelist the "malware" because there is no hash.

    Creating a filter on the emails isn't an option because the mail itself only shows the client information, and not the detection itself.

    An update to solve this would be nice.

  • e_mano_e
    e_mano_e Posts: 87  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    This is not a real solution, but it is a temporary solution:

    Add an entry to the Allow list of Anti-Malware using "file-pattern" like this: AD2F1837.HPPrinterControl*

    Has worked for me.

  • PhilippeBkk
    PhilippeBkk Posts: 13  Freshman Member
    First Anniversary 10 Comments Friend Collector
    Options

    This has been reported in several threads for more than one week but ZYXEL people still cannot tell what to do, not can say if it is a false positive

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 755  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @ChipConnJohn @OTADMIN , @MBS

    It is fine, please kinldy provide the below information for us. Thank you

    STEP1. Download the BDSysLog_i.exe file :
    https://download.bitdefender.com/supporttools/bdsyslog/v2/BDSysLog_i.exe
    STEP2. Collect the bdsyslog file for us:
    https://www.bitdefender.com/consumer/support/answer/1922/

    Thank you

  • ChipConnJohn
    ChipConnJohn Posts: 44  Freshman Member
    First Anniversary 10 Comments Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula
    Options

    @Zyxel_Kevin,

    I have a Bitdefender log from a machine that was being flagged as trying to download malware while the I was running the bitdefender tool. I think this should give you what you need. How do I get the log file to you?

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 755  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @ChipConnJohn ,

    We will remove signatures in next anti-malware package.

    Please kindly check if the issue happend again. Thank you

  • LucaPapaleo
    LucaPapaleo Posts: 12  Freshman Member
    First Anniversary 10 Comments
    Options

    Hello, without firmware update? just signature?

    Luca

Security Highlight