False malicious activities / windows update

1246

All Replies

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 741  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @Systrategy
    Did you have the exact virus name  ? 
    We will investigate the issue. 
    Kevin
  • Doppelnet
    Doppelnet Posts: 1
    First Comment
    edited October 2022
    Unfortunantely we have the same problems. Is there anybody by Zyxel who can solve this issues. We have tonns of this records. 
  • Zyxel_Kevin
    Zyxel_Kevin Posts: 741  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @Doppelnet
    Did you know what kind of behavior triggers? 
    Also please kindly share the exact virus name for us. 
    Thank you
    Kevin
  • aemf
    aemf Posts: 6
    First Anniversary Friend Collector First Comment
    Même problème visible sur SecuReporter


  • Zyxel_Kevin
    Zyxel_Kevin Posts: 741  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @aemf
    Did you know what kind of behavior triggers?  
    And please kindly provide the virus name . Thank you
    Kevin
  • USG_User
    USG_User Posts: 369  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited November 2022
    Hi Kevin,
    For completion and to keep this concern alive ...: On 28 October one colleague started its computer after a few days off. When Windows starts its automatic update procedure the following virus alert has been announced by our USG110 again:

    2022-10-28 10:16:54, 93.184.221.240:80, 192.168.51.12:51745, crit, anti-virus, FILE DESTROY,wan1, vlan51, tcp, Virus infected Rule_id=6 SSI=N Virus=Malicious Virus File=aspnetcore-runtime-3.1.30-win-x86_700b1cf039d7c1a853df94d9ca0e0 Protocol=HTTP

    Regarding your question ... the automatic (or manually forced) update process of Windows always caused this USG behaviour. Normally on monthly Windows Patch Day, or when a machine which was not running during the MS patchday will be switched on subsequently.
    We do not have any other virus name information. From month to month only the version number of the aspnetcore-runtime or windowsdesktop-runtime is changing.

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 741  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited November 2022
    Hi @USG_User
    Did you have the file Hash ?
    We are cheking on it. I will update the ticket if I have any news. 
    Thanks your patience.
    Kevin
  • Hi Kevin,

    the same happens here on USG 500 flex. In fact, it happens every patch day for the last couple of months - which is quite annoying as it generates a load of alerts.

    For the current patch day, I'm copying the virus name and filename below:

    dotnet-runtime-6.0.11-win-x64_3504dfca92911ac7449dcb292a33b75f8
    Malicious Virus(detected by Anti-Malware Cache)
    windowsdesktop-runtime-6.0.11-win-x86_5f7938428f80f9dd0c7660379
    Malicious Virus(detected by Anti-Malware Cache)

    Unfortunately, the USG report does not link the filename to a hash, but the following two hashes belong to the files mentioned above:
    2C8B9429D84440193D99F224C2E95D28
    8BFD60737588F839346D71E2B7D41277

    Hope you can find a permanent solution soon.

    Good luck!














  • USG_User
    USG_User Posts: 369  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @USG_User
    Did you have the file Hash ?
    We are cheking on it. I will update the ticket if I have any news. 
    Thanks your patience.
    Kevin

    What file hashes do you mean and where should I get it from? I've got only the entries extracted from system log as provided different times in past. Please advise
  • you could check monitor --> security statistics --> anti-malware --> Hash values in the table. As I mentioned, unfortunately, there is no direct linkage to the alert from the system log.

Security Highlight