Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Gateway Anti-Virus Alert (Cloud Id: 13263444)

Guys, this morning this alert appeared in my report "Gateway Anti-Virus Alert: (Cloud Id: 13263444) Kryptik.AYPY (Trojan) blocked". It's pointing to two new machines that we put on the net yesterday. I didn't find information about what this "Kryptik.AYPY" might be. Can you help me understand what this is?


Category: Firewall Security Services
Reply

Answers

  • AdviseAdvise Newbie ✭

    In relation to security, I removed the two machines from the network. But I don't understand what this "Kryptik.AYPY" is.

  • DerrynJDerrynJ Newbie ✭

    I would like to know as well.

    We have the exact same GAV alert from multiple sources and destinations. We've checked with third party scanners with no result, and one of the affected machines is a brand new Lenovo T14s. It seems to come and go.

    The log entry is extremely unhelpful, the best you get is a source and destination. The source IPs tend to be owned by Akamai or other CDNs. So far I've got:

    8.246.0.126

    8.246.65.254

    8.252.191.254

    8.252.42.126

    23.38.166.131

    23.38.166.186

    23.38.166.200

    23.38.166.201

    23.38.166.202

    23.38.166.203

    23.46.172.8

    23.46.172.16

    23.203.248.43

    23.203.248.25

    60.254.148.25

    60.254.148.138

    60.254.148.208

    111.119.8.1

    117.121.252.192

    And a bunch more.

    I'm guessing false positive, but I don't know how to confirm.

  • AdviseAdvise Newbie ✭

    Based on your answer I believe it to be a false positive yes. Because we know that Akamai is a company used by big developers to distribute their update packages to customers. If in your analysis you were able to identify Akamai servers, it is very likely that it is something that has happened before and that we should just ignore. The problem is that the way SonicWall reports this traffic is confusing and makes me believe it's a bad thing.

  • AdviseAdvise Newbie ✭

    If it is really a false positive, we can adopt the solution of this other forum that dealt with something very similar before.

    https://community.sonicwall.com/technology-and-support/discussion/3825/anti-virus-alert-cloud-id-29060692-starter-y-trojan-blocked-another-false-positive

  • ThebwunThebwun Newbie ✭
    edited May 2022
    Hi,

    We also saw these same alerts for numerous machines on our LAN on a couple of days last week.

    All windows 10 devices.

    The IP ranges tie back to akamai and limelight networks (CDN).

    In each case the IP can be resolved back to genuine windows update servers.

    We were initially concerned it may be related to this:

    https://www.bleepingcomputer.com/news/security/fake-windows-10-updates-infect-you-with-magniber-ransomware/

    As this file is also identified as "Kryptik" by fortigate.

    However, we are now less concerned based on the CDNs and IPs used being genuine (MS endpoints).

    Can somebody from Sonicwall confirm if this is a false positive?
  • AdviseAdvise Newbie ✭

    It would be great if someone from SonicWall could give us some information.

  • MikeSWMikeSW Newbie ✭

    I know what caused this for me, but the only reason I saw it because it corresponded to what I was working on. Scenario: we had a dead laptop, decided it was unrecoverable. We took out the NVMe drive and put it in an HP workstation with an NVMe PCI adapter. The moment we fired up the machine we started getting a steady stream of Cloud id: 13263444 alerts. The workstation in question is a development/test machine and is typically off and is not used for any web activity. There were no identified issues but are confident the issue was caused by Bitlocker. The NVMe drive was encrypted and as soon as we entered the Bitlocker key all of the alerts stopped. We also decrypted the drive as part of the process and we never received another alert.

    I hope that helps, we believe that was the cause of the issue. It seemed the alerts were spread out every few minutes, but we would get a barrage of alerts back to back.

  • AdviseAdvise Newbie ✭

    In my case, we don't have BitLocker as a computer encryption solution. It was really strange what happened on this day when I opened this discussion. We didn't have more reports of this same item, but sometimes others with different names appear.

    I strongly believe that it is something coming from Microsoft for distributing updates and our Firewall understands it as an attack.

  • prestonpreston All-Knowing Sage ✭✭✭✭

    @Advise, see here to find out more info about what the file is, IMO this should be enabled by default.

    https://www.sonicwall.com/support/knowledge-base/how-to-get-the-uri-associated-to-the-viruses-being-blocked-by-sonicwall/220317131216557/

  • AdviseAdvise Newbie ✭

    I have now enabled this option on my appliance.

    Should the details come in the report?

  • prestonpreston All-Knowing Sage ✭✭✭✭

    Advise, if you mean the logs sent via email then yes it should be in there and the event log itself

Sign In or Register to comment.