Where do I find the details of a Virus alert from the CSC-MA (GMS)?
I received the following email alert, generated at 1:30 this morning, Thursday September 10:
You are receiving this email because Capture Security Center Alert Notification Service has generated an alert for Firewall Metro TZ600, monitored by Capture Security Center with Serial xxxxxxxxxxx.
The Alert Rule is named as Threat Notification Rule and is defined as
info = THREAT-TYPE :: Virus, Name :: UPX_Packed_Executable_0 (Trojan), SRCIP :: 192.168.1.63 (Private IP), DSTIP :: 188.8.131.52 (United States)
I'm having a hard time discerning where this information could be located (and, knowing me, it may be in plain site). So where in CSC-MA can I identify the exact executable that was flagged?
Turns out the DSTIP address is LogMeIn, and I'm of the impression that this might be a false positive. If so, I'd like to get it reported.
Since the threat type is showing up as Virus, please navigate to that specific device under Device manager instead of the global view. On top, if you select the report tab, Viruses should be one of the options under Details section. I think that tab should have the data you need.
You might need to adjust the time a little bit to get to it.
Technical Support Advisor, Premier Services5
Hello @shiprasahu93 can you assist?
@micah - SonicWall's Self-Service Sr. Manager
@shiprasahu93 that was, well almost, helpful.
I got this:
And I clicked on the name, and got this:
And closed that, and went to the magnifying glass and got this:
And figured the session log would have the details of the actual EXE, but here's what I got:
I won't bore you with the screenshots of each of the remaining options, but not one of them identified the actual executable name that was flagged...
So if something triggered this alert, why won't it let me know exactly what it was?
I think the SonicWall does not actually unpacks/decompresses or decrypts to find out the actual EXE file that was packed using UPX and that is the reason it does not show you the actual EXE.
This is some explanation I found on this topic:
Packers are utilities which compress and sometimes encrypt executables. Although there are legitimate applications for these, they are also sometimes used with the intent of obfuscation, so as to make the executables less detectable by anti-virus applications. The packer adds a header that expands the file in memory, and then executes that file. SonicWall Gateway Anti-Virus currently recognizes the most common packed formats: UPX, FSG, PKLite32, Petite, and ASPack. additional formats are dynamically added along with SonicWall GAV signature updates.
So, I think the SonicWall immediately blocks once it sees this format irrespective of what is packed within it. So, if the source/destination is looking valid, you might want to exclude them. This is similar to the actions that we can take when we see password protected ZIP files. We can't really investigate the content within it, so we can either allow or block it completely.
I hope that helps!
Technical Support Advisor, Premier Services
@shiprasahu93 , again, that was helpful, almost...
SonicWall will take a PDF that I'm downloading and send it up to a sandbox to investigate whether it contains harmful contents, irrespective of whether I have "block until verdict." However, it won't unpack a UPX file to identify internal components because it merely suspects there's a problem?
I'm sorry, but in a threatened landscape that approach doesn't appear to make much sense.
I'll mark as "answered" nonetheless.
@shiprasahu93 - Sorry to bring this back up, but it is a month later and LogMeIn is again attempting to update the client machines at this site..
Unfortunately, the firewall is preventing this "unidentifiable" exe file from reaching those machines.
How can I call support and have them try to identify this as a "false positive" if the UTM is not identifying the actual EXE file name and is also stopping the download?
Or do I just have to put LogMeIn's IP blocks in the GAV Exclusion list?
A quick fix will be excluding the concerned IP addresses from GAV. Once you do that, if you get the actual file, kindly report on this link, or you can call support to help you through that process.
Technical Support Advisor, Premier Services
Updated GAV Exclusions - but now I won't know about ANY file because the process runs behind the scenes for product update. I wouldn't know that there was a "problem" if I hadn't set the notifications (for all the good it did).
SW: Alert, alert, alert!
Me: What, where?
Me: Oh, great!
This isn't the way I envisioned "Boundless Security" if you know what I mean...
Necro-posting here because LogMeIn apparently uses a SLEW of IP addresses to distribute updates to client computers.
I keep getting these notices and the IP address invariably changes from week to week.
In this particular case, this is a spurious alert. How can I get rid of it without adversely affecting the security of the site?