Getting pummelled by CDR reports of MSILHeracles download attempts from several of my ATPs

ChipConnJohn
ChipConnJohn Posts: 44  Freshman Member
Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula First Comment Fourth Anniversary

It appears to be an old issue that happened in 2022 too, if these are indeed false positives.

I can't quite tell if it's a false positive though. The two files I've seen it block are:
AD2F1837.HPPrinterControl_145.1.1083.0_neutral_~_v10z8vjag6ke6
and
ccdeecee-9152-46a2-a8ca-5e4458eb35a5

These look like Windows Update files, but the IP addresses are not things I necessarily recognize.

Anyone else seeing this?

«1

All Replies

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 892  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 500 Comments

    Hi @ChipConnJohn ,

    Greeting Forum, please kindly the below inforamtion and send me by private message.

    (1). The detected file (if you have)
    (2). Collect the bdsyslog.zip file on their PC :
    STEP1. Download the BDSysLog_i.exe file :
    https://download.bitdefender.com/supporttools/bdsyslog/v2/BDSysLog_i.exe
    STEP2. Collect the bdsyslog file for us:
    https://www.bitdefender.com/consumer/support/answer/1922/

    Thank you

  • ChipConnJohn
    ChipConnJohn Posts: 44  Freshman Member
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula First Comment Fourth Anniversary

    Hello,

    The firewall is blocking attempts to download these files and I don't see any place the firewall is holding the files in quarantine. Not sure how to get a copy of the files at that point.

    I have SentinelOne and BlackPoint running on every machine that is triggering the download. I've done scans of those machines using S1 and nothing has been found.

    Do you have a sandbox environment you can download these files to?

  • MBS
    MBS Posts: 3
    First Comment Second Anniversary

    I had the same message ATP100.

    It ends when I uninstalled HP printer update program.

  • OTADMIN
    OTADMIN Posts: 15  Freshman Member
    First Comment Friend Collector Fourth Anniversary

    We have the same problem.

    It looks like the updates are comming from users who have HP printers at home, and the software is installed when they work from home with the printer.
    When they are back at the office the messages starting to pop-up.


    Uninstalling the HP update program might work, but I try to keep the workstations up-to-date so uninstalling the update program is not the first solution on my list.

    It is on multiple versions of the HPPrinterControl software

    1. Gen.Variant.MSILHeracles.cf775202 ⇒ AD2F1837.HPPrinterControl_144.1.1068.0_neutral_~_v10z8vjag6ke6
    2. Gen.Variant.MSILHeracles.da651960 ⇒ AD2F1837.HPPrinterControl_145.1.1083.0_neutral_~_v10z8vjag6ke6

    It's not possible to whitelist the "malware" because there is no hash.

    Creating a filter on the emails isn't an option because the mail itself only shows the client information, and not the detection itself.

    An update to solve this would be nice.

  • e_mano_e
    e_mano_e Posts: 88  Ally Member
    First Answer First Comment Friend Collector Fourth Anniversary

    This is not a real solution, but it is a temporary solution:

    Add an entry to the Allow list of Anti-Malware using "file-pattern" like this: AD2F1837.HPPrinterControl*

    Has worked for me.

  • PhilippeBkk
    PhilippeBkk Posts: 13  Freshman Member
    First Comment Friend Collector Fourth Anniversary

    This has been reported in several threads for more than one week but ZYXEL people still cannot tell what to do, not can say if it is a false positive

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 892  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 500 Comments

    Hi @ChipConnJohn @OTADMIN , @MBS

    It is fine, please kinldy provide the below information for us. Thank you

    STEP1. Download the BDSysLog_i.exe file :
    https://download.bitdefender.com/supporttools/bdsyslog/v2/BDSysLog_i.exe
    STEP2. Collect the bdsyslog file for us:
    https://www.bitdefender.com/consumer/support/answer/1922/

    Thank you

  • ChipConnJohn
    ChipConnJohn Posts: 44  Freshman Member
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula First Comment Fourth Anniversary

    @Zyxel_Kevin,

    I have a Bitdefender log from a machine that was being flagged as trying to download malware while the I was running the bitdefender tool. I think this should give you what you need. How do I get the log file to you?

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 892  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 500 Comments

    Hi @ChipConnJohn ,

    We will remove signatures in next anti-malware package.

    Please kindly check if the issue happend again. Thank you

  • LucaPapaleo
    LucaPapaleo Posts: 13  Freshman Member
    Network Detective-New Adventure Badge First Comment Seventh Anniversary

    Hello, without firmware update? just signature?

    Luca