False malicious activities / windows update

1356

All Replies

  • USG_User
    USG_User Posts: 374  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    edited July 2022
    We are experiencing false positive A/V alerts for aspdotnet-runtimes and windowsdesktop-runtimes since months.
    But these A/V alerts are coming only once a month on MS patch day. Zyxel is already dealing with it, had access to our USG, and has tried to exclude the affected files from their signature hashes. Without success until now.
    Presently we're waiting for the August patch day ...
  • Zyxel_Kevin
    Zyxel_Kevin Posts: 888  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 500 Comments
    Hi @USG_User,
    "But these A/V alerts are coming only once a month on MS patch day. Zyxel is already dealing with it"
    So did you have the ticket to deal with it ?
    Kevin

  • USG_User
    USG_User Posts: 374  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    Hi Kevin,
    Please ask your colleague Zyxel_Cooldia. We are in contact in this regard since weeks.
  • Zyxel_Kevin
    Zyxel_Kevin Posts: 888  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 500 Comments

    Dear Customers,

    After investigation, the following two are false alarm,

    Wildcore.Virus.4a4ec363

    Gen.Variant.Barys.413913b9

    which have been excluded in the latest signature version (20220731)

    Kevin

     


  • MarcoLuvisi
    MarcoLuvisi Posts: 12  Freshman Member
    Nebula Gratitude Third Anniversary
    got this one this morning on a client site with ATP800 >
    Gen.Variant.Barys.da651960

    seems like a variant of the false positive of 2 weeks ago...

  • USG_User
    USG_User Posts: 374  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    Today MS is rolling out new Windows Updates and we immediately received different A/V Alerts for
    • aspnetcore-runtime-3.1.28-win-x86
    • aspnetcore-runtime-6.0.8-win-x86
    • aspnetcore-runtime-6.0.8-win-x64
    • windowsdesktop-runtime-6.0.8-win-x86
    • windowsdesktop-runtime-6.0.8-win-x64
    on different machines. Now this is gone for this month, and we expect the next A/V alert on next MS Windows Updates in next month.

  • mMontana
    mMontana Posts: 1,389  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary
    Maybe someone at virus definition department should have more grip about Microsoft packages?
  • MarcoLuvisi
    MarcoLuvisi Posts: 12  Freshman Member
    Nebula Gratitude Third Anniversary
    so this means that if we have CDR set to BLOCK clients PCs if detetcs malware on them we have to expect clients PC to be blocked every month when microsoft releases new updates? I hope it's not like this,,,
  • USG_User
    USG_User Posts: 374  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    Today MS is rolling out its Windows October updates and our USG110 is again reporting and blocking the following aspnetcore and windowsdesktop updates on different machines in our LAN. Once every month this happens again and again ...

    Affected files:
    aspnetcore-runtime-3.1.30-win-x86
    aspnetcore-runtime-6.0.10-win-x64
    windowsdesktop-runtime-3.1.30-win-x86

    The update packages should be retrieved from following internet addresses:
    8.248.89.254:80 - Level 3 Parent LLC, US
    8.248.119.254:80 - Level 3 Parent LLC, US
    209.197.3.8:80 - StackPath LLC, US
    88.221.235.20:80 - Akamai Technologies Inc., US
    96.17.152.184:80 - Akamai Technologies Inc., US

    Does anybody know whether these addresses are MS mirror addresses where client systems are downloading update packages from?
  • Unfortunately, we can confirm the same happens to our customers running ATP500, ATP200 and ATP700. Still have to confirm ATP100, but I fear we'll see email notifications soon.

Security Highlight