Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Is this message indicative of a false positive? It started last night so I shut down the PC.

11/27/2023 07:58:02 - 809 - Security Services - Alert - 23.60.159.57, 80, X4 - 192.168.0.167, 57762, X0 - Gateway Anti-Virus Alert: (Cloud Id: 82586309) Agent.FL (Trojan) blocked.

Category: Firewall Security Services
Reply

Answers

  • TonyATonyA SonicWall Employee

    Hi @pjb

    This is just a log entry stating that the firewalls Gateway Anti virus blocking a connection from source 23.60.159.57, 80, X4 to destination 192.168.0.167, 57762, X0 as it detected Agent.FL (Trojan) which matched a cloud id (Cloud Id: 82586309). It was blocked at the firewall and didnt reach that PC.

    Was a user using the PC at this time? Were they trying to access a program or clicked a link on a website? Was it something legit? If you know its legit and a false positive, please report it on our portal:

    How can I report false positives or Virus/Trojan/Malware samples to the Gateway AntiVirus team? | SonicWall

  • pjbpjb Newbie ✭

    Hello Tony. This started on Sunday night around 6:30PM EST. The alert messages came from two PC's on my local network. I remotely shut off both PC's at 9:00PM EST. The next morning I went about analyzing the systems to see if I could discover anything out of the ordinary. When the 192.168.0.167 PC was turned on it immediately started generating these Agent.FL (Trojan) alert messages again. The second PC did not generate any alert messages after booting up. After about an hour or so the 192.168.0.167 PC stopped generating these messages. There was no user activity occurring on either PC on Sunday night. Nor was there any user activity occurring yesterday during the time I was analyzing the systems.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    The IP 23.60.159.57 is located at Akamai and this CDN is often used by Microsoft, so my best guess it's triggered by a Windows Update and probably a False/Positive as @PJB suspected.

    Maybe you can update this Endpoint manually to figure out which update package triggers the event.

    --Michael@BWC

  • pjbpjb Newbie ✭

    Thank you BWC. I did trace that IP back to Akamai but did not know that Microsoft used that datacenter. I'll try to check the logs on that PC to see if it has any indication of an update.

  • TonyATonyA SonicWall Employee

    Good Catch @BWC !


    @pjb , if you continue to receive these log entries and windows update is being blocked, please create a web ticket or give a call to our support team so they can get in touch with our GAV signature team to look into this false positive.

  • prestonpreston Enthusiast ✭✭

    Hi @pjb, make sure you enable log Virus URI in the diag page, this will when show in the logs the location where it came from,the filename, and also the cloud signature you can then rule out if it is a false positive and add the Cloud ID signature to the Cloud AV exceptions,

    with any luck SonicWall may eventually enable this by default as I've been asking for years as it would have helped you out straight away in troubleshooting the issue. as you would have seen it was a windows update in the log.

  • pjbpjb Newbie ✭

    Thank you for the information Preston and Tonya. The logs did show an update at the time and these notifications did stop. I'm pretty comfortable with the assessment that this was a false-positive.

Sign In or Register to comment.