USG Flex 200 -> Windows Update files Virus infected ??

2»

All Replies

  • Vagabound
    Vagabound Posts: 30  Freshman Member
    First Comment Friend Collector First Anniversary
    Dozens of alerts again this morning:

       Message
    1 2023-02-02 06:57:57 93.184.221.240:80
         crit anti-virus FILE DESTROY                                    
         Virus infected SSI:N Type:Anti-Malware Cache Virus:Malicious Virus File:powershell-7.3.2-win-x64_70b4b049d70b8ace7ec828ea395f25d9927b2e Protocol:HTTP
    :/
  • Vagabound
    Vagabound Posts: 30  Freshman Member
    First Comment Friend Collector First Anniversary
    Here is an excerpt from the SecuReporter:



  • Vagabound
    Vagabound Posts: 30  Freshman Member
    First Comment Friend Collector First Anniversary
    Virus Hash:     927acfcba3f91bcf10264dde216d5ec9

  • USG_User
    USG_User Posts: 374  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    It seems this is a never ending issue with Zyxel. Please refer to the other thread in this regard:

    We have finished the programming of our new USG Flex 700 right now and will set it into production service during the next days, replacing the old USG 110. Then we will see if anything has been improved in the meantime.

  • Vagabound
    Vagabound Posts: 30  Freshman Member
    First Comment Friend Collector First Anniversary
    I had previously also a USG 110, but never had such problems as now with the USG Flex 200.
    Let's hope that this improves in the future, have no desire to constantly evaluate the many alerts, there are other things you should do.

  • mMontana
    mMontana Posts: 1,389  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary
    More times it happens...
    More seems not a feature.
  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    Hi @Vagabound,
    The hash 927acfcba3f91bcf10264dde216d5ec9 has been marked  clean in cloud today.
    please try it again.
    We will come out a solution for this issue to minimize false positive case.
    Before the solution is implement. please add Microsoft update IP into white list. 

  • USG_User
    USG_User Posts: 374  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    ...
    Before the solution is implement. please add Microsoft update IP into white list. 

    In October 22, in the above linked thread,  I did report the following IP addresses where MS update packages should be retrieved from at that time:

    8.248.89.254:80 - Level 3 Parent LLC, US
    8.248.119.254:80 - Level 3 Parent LLC, US
    209.197.3.8:80 - StackPath LLC, US
    88.221.235.20:80 - Akamai Technologies Inc., US
    96.17.152.184:80 - Akamai Technologies Inc., US

    I guess it's not practical to add different MS IP addresses into a white list which could even changing on each patchday. But I'm not the expert in MS update procedures. From my point of view Zyxel should try to get in contact with MS to discover the process and find a general solution.
  • Vagabound
    Vagabound Posts: 30  Freshman Member
    First Comment Friend Collector First Anniversary
    I can only agree with this, I will be careful not to white list any IP address that I can't verify.

Security Highlight