USG Flex 200 -> Windows Update files Virus infected ??

Options
2»

All Replies

  • Vagabound
    Vagabound Posts: 28  Freshman Member
    10 Comments Friend Collector
    Options
    Dozens of alerts again this morning:

       Message
    1 2023-02-02 06:57:57 93.184.221.240:80
         crit anti-virus FILE DESTROY                                    
         Virus infected SSI:N Type:Anti-Malware Cache Virus:Malicious Virus File:powershell-7.3.2-win-x64_70b4b049d70b8ace7ec828ea395f25d9927b2e Protocol:HTTP
    :/
  • Vagabound
    Vagabound Posts: 28  Freshman Member
    10 Comments Friend Collector
    Options
    Here is an excerpt from the SecuReporter:



  • Vagabound
    Vagabound Posts: 28  Freshman Member
    10 Comments Friend Collector
    Options
    Virus Hash:     927acfcba3f91bcf10264dde216d5ec9

  • USG_User
    USG_User Posts: 369  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    It seems this is a never ending issue with Zyxel. Please refer to the other thread in this regard:

    We have finished the programming of our new USG Flex 700 right now and will set it into production service during the next days, replacing the old USG 110. Then we will see if anything has been improved in the meantime.

  • Vagabound
    Vagabound Posts: 28  Freshman Member
    10 Comments Friend Collector
    Options
    I had previously also a USG 110, but never had such problems as now with the USG Flex 200.
    Let's hope that this improves in the future, have no desire to constantly evaluate the many alerts, there are other things you should do.

  • mMontana
    mMontana Posts: 1,320  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    More times it happens...
    More seems not a feature.
  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,455  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Hi @Vagabound,
    The hash 927acfcba3f91bcf10264dde216d5ec9 has been marked  clean in cloud today.
    please try it again.
    We will come out a solution for this issue to minimize false positive case.
    Before the solution is implement. please add Microsoft update IP into white list. 
  • USG_User
    USG_User Posts: 369  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Zyxel_Cooldia said:
    ...
    Before the solution is implement. please add Microsoft update IP into white list. 

    In October 22, in the above linked thread,  I did report the following IP addresses where MS update packages should be retrieved from at that time:

    8.248.89.254:80 - Level 3 Parent LLC, US
    8.248.119.254:80 - Level 3 Parent LLC, US
    209.197.3.8:80 - StackPath LLC, US
    88.221.235.20:80 - Akamai Technologies Inc., US
    96.17.152.184:80 - Akamai Technologies Inc., US

    I guess it's not practical to add different MS IP addresses into a white list which could even changing on each patchday. But I'm not the expert in MS update procedures. From my point of view Zyxel should try to get in contact with MS to discover the process and find a general solution.
  • Vagabound
    Vagabound Posts: 28  Freshman Member
    10 Comments Friend Collector
    Options
    I can only agree with this, I will be careful not to white list any IP address that I can't verify.

Categories

Security Highlight


Read more

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)