Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

DoublePulsar was not recognized by SonicWall

DenDen Newbie ✭

Hello,

We had several hosts infected by DoublePulsar malware infection. The hosts were actively scanning the network but were not recognized by SonicWall alerts.

Maybe I need enable some additional settings?

And it would be goot to know - is it possible to get data about viruses alerts from sonicwall via SNMP?

NSA 2600 and NSA 3600 are using in our company.

Firmware Version: SonicOS Enhanced 6.5.3.2-14n

Signature database downloaded: UTC 05/29/2020


Thank you in advance.

Category: High End Firewalls
Reply

Answers

  • fmadiafmadia Moderator

    Hi @Den ,

    I'm sorry to hear that. So far the SonicWall should be able to recognize all the known DoublePulsar variants and with Capture ATP we should be able to detect most of the unknown as well.

    In order to understand better we should know more what type of services you have enabled on your firewall (i.e. Gateway AV, Capture ATP, etc.), whether DPI-SSL is enabled or not and what type of End-Point protection is applied (the threat could have been introduced also using a USB Key or from someone's laptop).

    Regarding SNMP, we have MIBs including all threats detected and prevented by our Security Services.

    Best option would be to open a Support ticket so our team can make sure everything is configured properly.

    Please do provide some more details here and I may be able to help you further.

  • DenDen Newbie ✭

    Hi @fmadia, thank you for your reply.

    DPI-SSL not activated(looks like it is license restriction). On hosts we have Symantec antivirus. Gateway Anti-Virus Global Settings you can find below:

    About MIBs - we have two monitoring systems Zabbix and PRTG and we want to monitor alerts regarding viruses in PRTG for example. Am I need to contact sonicwall support in this case?

  • shiprasahu93shiprasahu93 Moderator
    edited June 1

    Hello @Den,

    I would just like to add that DPI SSL can be easily activated from mysonicwall.com and is no longer a purchased service for Gen 6 appliances.

    For the specific product you can activate it as below

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • fmadiafmadia Moderator

    Hi @Den,

    unfortunately most of the threats are delivered via encrypted connections so without DPI-SSL your SonicWall can't be effective and the threats will just pass the GAV without being recognized..

    To be protected against known and unknown threats (even within encrypted communication), I would highly suggest you buy/enable DPI-SSL and Capture ATP. As mentioned by Shipra above, the DPI-SSL license can be easily activate on MySonicWall for Gen6 NSA appliances.

    You may want to take a look at the following KBs:

    For the best protection we do offer End-Point Protection too through our Capture Client if needed: https://www.sonicwall.com/products/firewalls/security-services/capture-client/

    Regarding SNMP, if you're not getting alerts even though it's all configured correctly (https://www.sonicwall.com/support/knowledge-base/configuring-snmp-in-sonicos/170505617080053/) I would suggest to contact our Support.

    Let me know if you need further information.

    Francesco

  • DenDen Newbie ✭

    @fmadia, perhaps I didn't make it clear - hosts inside the local network were infected, I.e. the data was transmitted without encryption.

    Example of log messages from sonicwall:

    May 15 20:02:14 lgb-sonicwall id=sonicwall sn=XXXXXXXXXXXX time="2020-05-15 20:02:14" fw=12.7.x.x pri=6 c=1024 m=537 msg="Connection Closed" app=5181 n=133774137 src=10.1.x.x:59866:X3-V99:host-1 dst=192.168.x.x:445:X3-V124 srcMac=00:01:e8:8b:03:16 dstMac=48:4d:7e:e9:10:23 proto=tcp/445 sent=275 rcvd=98 spkt=3 rpkt=2 rule="185 (DC->LAN)"

    May 15 20:02:24 lgb-sonicwall id=sonicwall sn=XXXXXXXXXXXX time="2020-05-15 20:02:24" fw=12.7.x.x pri=6 c=1024 m=537 msg="Connection Closed" app=5181 n=133774328 src=10.1.x.x:59867:X3-V99:host-1 dst=192.168.x.x:445:X3-V124 srcMac=00:01:e8:8b:03:16 dstMac=f8:b1:56:af:ee:8c proto=tcp/445 sent=715 rcvd=520 spkt=6 rpkt=5 rule="185 (DC->LAN)"

    May 15 20:02:29 lgb-sonicwall id=sonicwall sn=XXXXXXXXXXXX time="2020-05-15 20:02:29" fw=12.7.x.x pri=6 c=1024 m=537 msg="Connection Closed" app=49282 appName="Service SMB" n=133774374 src=10.1.x.x:59871:X3-V99:host-1 dst=192.168.x.x:445:X3-V124 srcMac=00:01:e8:8b:03:16 dstMac=98:90:96:9d:89:de proto=tcp/445 sent=144 rcvd=144 spkt=3 rpkt=3 rule="185 (DC->LAN)"

    May 15 20:02:29 lgb-sonicwall id=sonicwall sn=XXXXXXXXXXXX time="2020-05-15 20:02:29" fw=12.7.x.x pri=6 c=1024 m=537 msg="Connection Closed" app=49282 appName="Service SMB" n=133774384 src=10.1.x.x:59876:X3-V99:host-1 dst=192.168.x.x:445:X3-V124 srcMac=00:01:e8:8b:03:16 dstMac=00:22:ee:03:05:88 proto=tcp/445 sent=52 rcvd=46 spkt=1 rpkt=1 rule="185 (DC->LAN)"

    May 15 20:02:29 lgb-sonicwall id=sonicwall sn=XXXXXXXXXXXX time="2020-05-15 20:02:29" fw=12.7.x.x pri=6 c=1024 m=537 msg="Connection Closed" app=49282 appName="Service SMB" n=133774387 src=10.1.x.x:59886:X3-V99:host-1 dst=192.168.x.x:445:X3-V124 srcMac=00:01:e8:8b:03:16 dstMac=00:22:ee:03:05:8a proto=tcp/445 sent=52 rcvd=46 spkt=1 rpkt=1 rule="185 (DC->LAN)"

    May 15 20:02:30 lgb-sonicwall id=sonicwall sn=XXXXXXXXXXXX time="2020-05-15 20:02:30" fw=12.7.x.x pri=6 c=1024 m=537 msg="Connection Closed" app=49282 appName="Service SMB" n=133774388 src=10.1.x.x:59876:X3-V99:host-1 dst=192.168.x.x:445:X3-V124 srcMac=00:01:e8:8b:03:16 dstMac=00:22:ee:03:05:88 proto=tcp/445 sent=52 rcvd=46 spkt=1 rpkt=1 rule="185 (DC->LAN)"

    May 15 20:02:30 lgb-sonicwall id=sonicwall sn=XXXXXXXXXXXX time="2020-05-15 20:02:30" fw=12.7.x.x pri=6 c=1024 m=537 msg="Connection Closed" app=49282 appName="Service SMB" n=133774389 src=10.1.x.x:59900:X3-V99:host-1 dst=192.168.x.x:445:X3-V124 srcMac=00:01:e8:8b:03:16 dstMac=50:9a:4c:40:ac:c5 proto=tcp/445 sent=144 rcvd=144 spkt=3 rpkt=3 rule="185 (DC->LAN)"

  • fmadiafmadia Moderator

    Hi @Den ,

    I see. Based on the above the traffic goes from X3:V99 to X3:V124 (DC -> LAN) and it should be inspected by the firewall (of course the first host that got infected either downloaded something from internet or the virus was on that machine somehow).

    First thing I'd check is that you have the Security Services (Gateway AV, Anti-Spyware, IPS) enabled on the DC and LAN zones.

    Second if the threat was not in the Gateway AV Database (meaning it was unknown), the only way we could capture it would be via Capture ATP Service which should be enabled.

    Francesco

  • DenDen Newbie ✭

    @fmadia you are right, for DC zone Gateway AV, Anti-Spyware, IPS features not enabled. So, you believe this is the reason?


  • fmadiafmadia Moderator

    @Den If the traffic was going from DC to LAN, it should have been blocked anyway because before leaving the firewall to go into VLAN 124, the Security Services should inspect it anyway.

    There could be many reasons unfortunately, we can't confirm. But with Capture ATP enabled and security services enabled on each zone you should be quite safe (of course with DPI-SSL to protect against encrypted threats).

  • DenDen Newbie ✭

    @fmadia agree. i mean even if security services not enabled for DC zone but these services enabled for LAN zone for inbound/outbound direction. I think sonicwall should detect attack in any way. I asking because I can't formulate for the management why this was happend. Maybe we need to enable some other features which we don't know.

  • fmadiafmadia Moderator

    @Den, unfortunately we should take a look at the configuration to confirm whether the firewall setup is correct or not and if you need additional features.

    Best way at this point would be to contact support for a deep investigation.

  • shiprasahu93shiprasahu93 Moderator

    Hello @Den,

    You can also check if there are any exclusions added by IP address to the security services that are enabled. Now, we have options to disable DPI on the access rules as well. You should also revisit the rules between DC and LAN zones.

    I hope that helps!

    Thanks!!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • DenDen Newbie ✭

    @shiprasahu93 thank you for your reply. I've checked - from DC to LAN zone we have rule which allows all traffic. On tab 'Advanced' in rule setting no enabled checkboxes like 'DIsable DPI' if i right understand you. So i think the best way is to open TT with sonicwall support.

  • shiprasahu93shiprasahu93 Moderator

    Yes, @Den. Please open a support case as we need to perform further investigation and find the root cause. Use the following to contact SonicWall support.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

Sign In or Register to comment.