Getting pummelled by CDR reports of MSILHeracles download attempts from several of my ATPs

ChipConnJohn

It appears to be an old issue that happened in 2022 too, if these are indeed false positives.

I can't quite tell if it's a false positive though. The two files I've seen it block are:
AD2F1837.HPPrinterControl_145.1.1083.0_neutral_~_v10z8vjag6ke6
and
ccdeecee-9152-46a2-a8ca-5e4458eb35a5

These look like Windows Update files, but the IP addresses are not things I necessarily recognize.

Anyone else seeing this?

Zyxel_Kevin

Hi @ChipConnJohn ,

Greeting Forum, please kindly the below inforamtion and send me by private message.

(1). The detected file (if you have)
(2). Collect the bdsyslog.zip file on their PC :
STEP1. Download the BDSysLog_i.exe file :
https://download.bitdefender.com/supporttools/bdsyslog/v2/BDSysLog_i.exe
STEP2. Collect the bdsyslog file for us:
https://www.bitdefender.com/consumer/support/answer/1922/

Thank you

ChipConnJohn

Hello,

The firewall is blocking attempts to download these files and I don't see any place the firewall is holding the files in quarantine. Not sure how to get a copy of the files at that point.

I have SentinelOne and BlackPoint running on every machine that is triggering the download. I've done scans of those machines using S1 and nothing has been found.

Do you have a sandbox environment you can download these files to?

MBS

I had the same message ATP100.

It ends when I uninstalled HP printer update program.

OTADMIN

We have the same problem.

It looks like the updates are comming from users who have HP printers at home, and the software is installed when they work from home with the printer.
When they are back at the office the messages starting to pop-up.

Uninstalling the HP update program might work, but I try to keep the workstations up-to-date so uninstalling the update program is not the first solution on my list.

It is on multiple versions of the HPPrinterControl software

1. Gen.Variant.MSILHeracles.cf775202 ⇒ AD2F1837.HPPrinterControl_144.1.1068.0_neutral_~_v10z8vjag6ke6
2. Gen.Variant.MSILHeracles.da651960 ⇒ AD2F1837.HPPrinterControl_145.1.1083.0_neutral_~_v10z8vjag6ke6

It's not possible to whitelist the "malware" because there is no hash.

Creating a filter on the emails isn't an option because the mail itself only shows the client information, and not the detection itself.

An update to solve this would be nice.

e_mano_e

This is not a real solution, but it is a temporary solution:

Add an entry to the Allow list of Anti-Malware using "file-pattern" like this: AD2F1837.HPPrinterControl*

Has worked for me.

PhilippeBkk

This has been reported in several threads for more than one week but ZYXEL people still cannot tell what to do, not can say if it is a false positive

Zyxel_Kevin

Hi @ChipConnJohn @OTADMIN , @MBS

It is fine, please kinldy provide the below information for us. Thank you

STEP1. Download the BDSysLog_i.exe file :
https://download.bitdefender.com/supporttools/bdsyslog/v2/BDSysLog_i.exe
STEP2. Collect the bdsyslog file for us:
https://www.bitdefender.com/consumer/support/answer/1922/

Thank you

ChipConnJohn

@Zyxel_Kevin,

I have a Bitdefender log from a machine that was being flagged as trying to download malware while the I was running the bitdefender tool. I think this should give you what you need. How do I get the log file to you?

Zyxel_Kevin

Hi @ChipConnJohn ,

We will remove signatures in next anti-malware package.

Please kindly check if the issue happend again. Thank you

LucaPapaleo

Hello, without firmware update? just signature?

Luca