False malicious activities / windows update

Zyxel_Kevin · October 2022

Hi @Systrategy,
Did you have the exact virus name ?
We will investigate the issue.
Kevin

Doppelnet · October 2022

Unfortunantely we have the same problems. Is there anybody by Zyxel who can solve this issues. We have tonns of this records.

Zyxel_Kevin · October 2022

Hi @Doppelnet,
Did you know what kind of behavior triggers?
Also please kindly share the exact virus name for us.
Thank you
Kevin

aemf · October 2022

Même problème visible sur SecuReporter

Image: https://us.v-cdn.net/6029482/uploads/editor/p2/ci5q26vpdi0x.png

Zyxel_Kevin · October 2022

Hi @aemf,
Did you know what kind of behavior triggers?
And please kindly provide the virus name . Thank you
Kevin

USG_User · November 2022

Hi Kevin,

For completion and to keep this concern alive ...: On 28 October one colleague started its computer after a few days off. When Windows starts its automatic update procedure the following virus alert has been announced by our USG110 again:

2022-10-28 10:16:54, 93.184.221.240:80, 192.168.51.12:51745, crit, anti-virus, FILE DESTROY,wan1, vlan51, tcp, Virus infected Rule_id=6 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-3.1.30-win-x86_700b1cf039d7c1a853df94d9ca0e0 Protocol=HTTP

Regarding your question ... the automatic (or manually forced) update process of Windows always caused this USG behaviour. Normally on monthly Windows Patch Day, or when a machine which was not running during the MS patchday will be switched on subsequently.

We do not have any other virus name information. From month to month only the version number of the aspnetcore-runtime or windowsdesktop-runtime is changing.

Zyxel_Kevin · November 2022

Hi @USG_User,
Did you have the file Hash ?
We are cheking on it. I will update the ticket if I have any news.
Thanks your patience.
Kevin

st3213 · November 2022

Hi Kevin,

the same happens here on USG 500 flex. In fact, it happens every patch day for the last couple of months - which is quite annoying as it generates a load of alerts.

For the current patch day, I'm copying the virus name and filename below:

dotnet-runtime-6.0.11-win-x64_3504dfca92911ac7449dcb292a33b75f8

Malicious Virus(detected by Anti-Malware Cache)

windowsdesktop-runtime-6.0.11-win-x86_5f7938428f80f9dd0c7660379

Malicious Virus(detected by Anti-Malware Cache)

Unfortunately, the USG report does not link the filename to a hash, but the following two hashes belong to the files mentioned above:

2C8B9429D84440193D99F224C2E95D28

8BFD60737588F839346D71E2B7D41277

Hope you can find a permanent solution soon.

Good luck!

USG_User · November 2022

Zyxel_Kevin said:

Hi @USG_User,
Did you have the file Hash ?
We are cheking on it. I will update the ticket if I have any news.
Thanks your patience.
Kevin

What file hashes do you mean and where should I get it from? I've got only the entries extracted from system log as provided different times in past. Please advise

st3213 · November 2022

you could check monitor --> security statistics --> anti-malware --> Hash values in the table. As I mentioned, unfortunately, there is no direct linkage to the alert from the system log.

False malicious activities / windows update

All Replies

Categories

Security Highlight

Security Help Center