False malicious activities / windows update

1235

All Replies

  • USG_User
    USG_User Posts: 374  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    edited November 2022
    Thanks st3213, but our USG110 doesn't offer this information. We got only
    Monitor > UTM Statistics > Anti-Virus
    with following screen:


    The counter of 1212 is only the result of todays MS patchday. All other days of the month we don't experience any virus alerts.

    Further we've got already purchased a new USG Flex 700, which is not yet installed and commissioned. We hoped that these A/V alerts are gone when we'll replace our USG110. But as we've learnt now, USG Flex are also affected. This concerns.
  • st3213
    st3213 Posts: 9  Freshman Member
    First Comment Friend Collector First Anniversary
    edited November 2022
    OK, I see. We have an additional column in our 500 flex devices. But otherwise, the same: We get hundreds of hits on every patch day. Interestingly, the alters stop after a while - not sure if ZyXel is updating signatures or why.

    I'm just wondering why there is no more talk about this issue. One would assume that many customers should be affected. Therefore, I am still a little uneasy just adding the files to the allow list.

    Zyxel_Kevin I hope you can advise. The problem is going on for a while now.




  • st3213
    st3213 Posts: 9  Freshman Member
    First Comment Friend Collector First Anniversary
    OK, I see. We have an additional column in our 500 flex.

    Zyxel_Kevin can advise. The problem is going on for a while now.

  • st3213
    st3213 Posts: 9  Freshman Member
    First Comment Friend Collector First Anniversary
    OK, I see. We have an additional column in our 500 flex devices. But otherwise, the same: We get hundreds of hits on every patch day. Interestingly, the alters stop after a while - not sure if ZyXel is updating signatures or why.

    I'm just wondering why there is no more talk about this issue. One would assume that many customers should be affected. Therefore, I am still a little uneasy just adding the files to the allow list.

    Zyxel_Kevin can advise. The problem is going on for a while now.



  • Zyxel_Kevin
    Zyxel_Kevin Posts: 888  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 500 Comments
    Hi @st3213
    We have removed signature from Cloud.Please kindly reboot your device to clear local cache.  
    You can also perform the following command to disable local cache 
    Router(config)# debug anti-virus cloud-query am-cache disable
    Router# Router# debug anti-virus cloud-query show
    am-cache enable: 0

    For ATP/FLEX series, since the designed mechanism on ATP/FLEX series is different from Zywall/USG series . We can now manipulate and correct the signature content more promptly and effect comparing to Zywall/USG series. 
    In addition, to fewer the false-positive detections is also our future release testing target after receiving those cases from customers.

    Kevin
     

  • USG_User
    USG_User Posts: 374  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    edited November 2022
    Hi @st3213
    We have removed signature from Cloud.Please kindly reboot your device to clear local cache.  
    You can also perform the following command to disable local cache 
    Router(config)# debug anti-virus cloud-query am-cache disable
    Router# Router# debug anti-virus cloud-query show
    am-cache enable: 0

    Hi Kevin,
    Thanks for your reply. Since we are not able to reboot our USG110 at any time (because of production system), I've carried out the proposed CLI commands.
    But after executing "Router(config)# debug anti-virus cloud-query am-cache disable"
    the query "Router# debug anti-virus cloud-query show" doesn't show any results like "am-cache enable: 0". The console didn't show any new line with any results. Hopefully the cache disabling works nevertheless.



  • st3213
    st3213 Posts: 9  Freshman Member
    First Comment Friend Collector First Anniversary
    @Zyxel_Kevin Thank you for updating the signatures, hits have stopped not. But we need to keep this open at least until the next MS patch day. Let's hope for a permenent solution.


  • USG_User
    USG_User Posts: 374  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    New month, same behaviour. Today is MS Patch Day and we're still receiving a huge number of Virus Alert Warnings from our USG110 for aspnetcore, dotnet and (this is new) powershell runtimes updates!
    Are there any news from Zyxel in this regard?
  • Zyxel_Kevin
    Zyxel_Kevin Posts: 888  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 500 Comments
    Hi @USG_User

    Since the designed mechanism for ATP/FLEX is different from Zywall/USG. We can now manipulate and correct the signature content more promptly and effect comparing to Zywall/USG series.

    And USG series are going to End of Support. We will suggest to do the replacement.

    Thank you

    Kevin


  • USG_User
    USG_User Posts: 374  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    This problem, which has certainly been known for over a year, has been nicely sat out.
    Our new USG Flex700 has already been delivered and we could only hope that this annoying behavour is really done.

Security Highlight