Sandbox false positive .NET 6.0.1 & 7.0.5 Update
It seems, that the sandbox has a false positive on the windows update for the .net applications once again.
SUSPICIOUS infected SSI:N File:dotnet-runtime-6.0.16-win-x64_9525ba632a628128ec7113ac9d34fe1c2 Protocol:HTTP
Hash Value: 5a44d8accd7e7ed333940f4600919f53
SUSPICIOUS infected SSI:N File:windowsdesktop-runtime-7.0.5-win-x64_5b4232eed009e6b66c64a6096b Protocol:HTTP
Hash Value: 13395bd3897467c7f9f9303d197e70fd
Is there no way to whitelist certain files or URL's?
Kind regards,
Michael
All Replies
-
Me too…
… and >600 emails with CDR !!!!#
File name
hash
Type
Occurences
Update time
1
windowsdesktop-runtime-6.0.16-win-x64_b5158efdf04bc521d4d4f0618
5107b5f5a31e086796446ed3df572838
Suspicious
194
2023-04-12 09:59
2
dotnet-runtime-6.0.16-win-x64_9525ba632a628128ec7113ac9d34fe1c2
5a44d8accd7e7ed333940f4600919f53
Suspicious
340
2023-04-12 08:48
3
aspnetcore-runtime-6.0.16-win-x64_3f06ad4f7609c3ecf37803e7576be
e54dd2b8961f1673896c7ce106bd91ae
Suspicious
28
2023-04-12 08:32
4
dotnet-hosting-7.0.5-win_c12bb335682504f51512e4434bb7fda331a0cc
e1cb42132192939ae486b3758462738c
Suspicious
1
2023-04-12 07:30
5
windowsdesktop-runtime-7.0.5-win-x64_5b4232eed009e6b66c64a6096b
13395bd3897467c7f9f9303d197e70fd
Suspicious
1
2023-04-12 07:30
6
aspnetcore-runtime-7.0.5-win-x64_bd5b7e737025d237bec869f71c97df
c9175d4d5c24892631c4e6c228403172
Suspicious
1
2023-04-12 07:30
0 -
Thanks for reporting this case to us. Please add the issued hash value to Anti-Malware's allow list now. You can refer to this FAQ article for guidance. We will check those false positive detection cases internally, I will keep updating this discussion.
See how you've made an impact in Zyxel Community this year!
0 -
Dear @Zyxel_Jeff
Thanks for the fast reply. I assume it works the same for on Nebula?
This happens after every patchday from microsoft with the .net-Update. Isn't it possible for you to update your database after every patchday?
Kind regards,
Michael
0 -
The problem is that it will reappear again and again on each MS patchday since the .NET or Windows desktop runtimes change its release numbers (and connected hash values) very often. It is no solution to let the user adding any hash values to the "allow list" subsequently every time.
We encountered this behaviour also for months. Fortunately it's gone with us since we have upgraded from our old USG110 to an USG Flex 700. But other user still report about this issue also with an USG Flex. Don't know what it depends on.
1 -
The "sometimes" seems such more "every update pulled by Microsoft".
1 -
Hi @Dexta
The Nebula firewall may also experience this phenomenon. A temporary workaround solution is to add the file pattern to the allow list and inform us of any false positive detections. Thanks.
See how you've made an impact in Zyxel Community this year!
0 -
Hi @Zyxel_Jeff
Thanks for the help. Are there any plans to update the database on windowspatch day? I does not make sense for the users to report these false positives because they are going to happen on every patchday.
Kind regards,
Michael0 -
May we know what USG Flex or ATP series model you are using? Did this false positive detection appear on Sandboxing only or on Anti-Malware as well? If so, what is your signature version of Antil-Malware? What is the Scan Mode for Anti-Malware? Is it Express Mode, Stream Mode, or Hybrid Mode? Could you share screenshots of the setting page and historical Monitor Log messages of false positive detection with us? It's easier for us to check your situation.
Anti-Malware setting page example:
Sandboxing setting page example:
Thank you!
See how you've made an impact in Zyxel Community this year!
0 -
Dear @Zyxel_Jeff
We are using ATP500 and it's only the sandboxing. Attached you find the screenshots.
Settings:Report from the week of the MS patch day in february:
Secureporter History from MS Patch day this month:
I did not include the Report from the March Patch day because the new weekly report from SecuReporter does not show the hash values anymore and in the reporter it self we can go back by maximum 30 days.
0 -
Hi @Dexta
Thanks for sharing the helpful information with us.
See how you've made an impact in Zyxel Community this year!
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 148 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight