Getting a bunch of Gateway AV alerts in the last half hour - sig 22097568
solmssen Newbie ✭
Gotten this from two machines in the last half hour, searching the SW sig database shows no results.
09/21/2022 22:24:21 - 809 - Security Services - Alert - 220.127.116.11, 80, X1 - 192.168.1.68, 56574, X0 - Gateway Anti-Virus Alert: (Cloud Id: 22097568) Dropper.GEN (Trojan) blocked.
virus scans on the machines are clean, and the three sets of alerts are to CDNs:
18.104.22.168 is limelight.com
22.214.171.124 is edgecast.com
126.96.36.199 is stackpath.com
This feels like a false positive to me? Any other users seeing this? Any thoughts?
Category: Firewall Security Services
Hey! You will be signed out in 60 seconds due to inactivity. Click here to continue using the site.
@solmssen I checked a few instances and wasn't able to see these specific detections. Did you activated the logging of the URI to figure out what caused this? With this information you could download the file and provide it or the URL to VirusTotal for a 2nd opinion.
It might be a false positive and can be excluded for the time being after more research.
Hi - this is a TZ350 running OS 188.8.131.52-97n. I'm not clear where to enable this feature, if it's available. I looked all through the Gateway AV settings. I did dual post on reddit, I was hoping for responses and to get this into google if others are searching. I appreciate your response very much.
@solmssen you have to activate this option in the Internal Settings of your Firewall.
Get into the internal settings (shown below) and activate "Log Virus URI" in the Security Services section. Please don't mess around with the other settings, they are not documented publicly and can cause a lot of trouble.
Thanks - I found it and enabled it. We'll see for the next time!