Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Getting a bunch of Gateway AV alerts in the last half hour - sig 22097568

Gotten this from two machines in the last half hour, searching the SW sig database shows no results.

09/21/2022 22:24:21 - 809 - Security Services - Alert - 68.142.107.4, 80, X1 - 192.168.1.68, 56574, X0 - Gateway Anti-Virus Alert: (Cloud Id: 22097568) Dropper.GEN (Trojan) blocked.

virus scans on the machines are clean, and the three sets of alerts are to CDNs:

68.142.107.4 is limelight.com

72.21.81.240 is edgecast.com

209.197.3.8 is stackpath.com

This feels like a false positive to me? Any other users seeing this? Any thoughts?

Category: Firewall Security Services
Reply

Answers

  • BWCBWC Cybersecurity Overlord ✭✭✭
    edited September 22

    @solmssen I checked a few instances and wasn't able to see these specific detections. Did you activated the logging of the URI to figure out what caused this? With this information you could download the file and provide it or the URL to VirusTotal for a 2nd opinion.

    It might be a false positive and can be excluded for the time being after more research.

    UPDATE: reddit is more responsive it seems :)
    

    --Michael@BWC

  • solmssensolmssen Newbie ✭

    Hi - this is a TZ350 running OS 6.5.4.11-97n. I'm not clear where to enable this feature, if it's available. I looked all through the Gateway AV settings. I did dual post on reddit, I was hoping for responses and to get this into google if others are searching. I appreciate your response very much.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @solmssen you have to activate this option in the Internal Settings of your Firewall.

    Get into the internal settings (shown below) and activate "Log Virus URI" in the Security Services section. Please don't mess around with the other settings, they are not documented publicly and can cause a lot of trouble.

    --Michael@BWC

  • solmssensolmssen Newbie ✭

    Thanks - I found it and enabled it. We'll see for the next time!

Sign In or Register to comment.