Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Where do I find the details of a Virus alert from the CSC-MA (GMS)?

I received the following email alert, generated at 1:30 this morning, Thursday September 10:

You are receiving this email because Capture Security Center Alert Notification Service has generated an alert for Firewall Metro TZ600, monitored by Capture Security Center with Serial xxxxxxxxxxx.

The Alert Rule is named as Threat Notification Rule and is defined as

info = THREAT-TYPE :: Virus, Name :: UPX_Packed_Executable_0 (Trojan), SRCIP :: 192.168.1.63 (Private IP), DSTIP :: 68.64.13.8 (United States)

I'm having a hard time discerning where this information could be located (and, knowing me, it may be in plain site). So where in CSC-MA can I identify the exact executable that was flagged?

Turns out the DSTIP address is LogMeIn, and I'm of the impression that this might be a false positive. If so, I'd like to get it reported.

Thanks!

Category: Capture Security Center
Reply

Best Answer

Answers

  • MicahMicah Administrator

    Hello @shiprasahu93 can you assist?

    Self-Service Sr. Manager at SonicWall. Say "hi" by tagging me at @micah.

  • LarryLarry Enthusiast ✭✭

    @shiprasahu93 that was, well almost, helpful.

    I got this:

    And I clicked on the name, and got this:


    And closed that, and went to the magnifying glass and got this:

    And figured the session log would have the details of the actual EXE, but here's what I got:

    I won't bore you with the screenshots of each of the remaining options, but not one of them identified the actual executable name that was flagged...

    So if something triggered this alert, why won't it let me know exactly what it was?

  • Hello @Larry,

    I think the SonicWall does not actually unpacks/decompresses or decrypts to find out the actual EXE file that was packed using UPX and that is the reason it does not show you the actual EXE.

    This is some explanation I found on this topic:

    Packers are utilities which compress and sometimes encrypt executables. Although there are legitimate applications for these, they are also sometimes used with the intent of obfuscation, so as to make the executables less detectable by anti-virus applications. The packer adds a header that expands the file in memory, and then executes that file. SonicWall Gateway Anti-Virus currently recognizes the most common packed formats: UPX, FSG, PKLite32, Petite, and ASPack. additional formats are dynamically added along with SonicWall GAV signature updates.

    So, I think the SonicWall immediately blocks once it sees this format irrespective of what is packed within it. So, if the source/destination is looking valid, you might want to exclude them. This is similar to the actions that we can take when we see password protected ZIP files. We can't really investigate the content within it, so we can either allow or block it completely.

    I hope that helps!

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • LarryLarry Enthusiast ✭✭

    @shiprasahu93 , again, that was helpful, almost...

    SonicWall will take a PDF that I'm downloading and send it up to a sandbox to investigate whether it contains harmful contents, irrespective of whether I have "block until verdict." However, it won't unpack a UPX file to identify internal components because it merely suspects there's a problem?

    I'm sorry, but in a threatened landscape that approach doesn't appear to make much sense.

    I'll mark as "answered" nonetheless.

Sign In or Register to comment.