Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Options

likely False positives for Sality.AT.gen (Trojan) blocked.

I have only 2 machines on the LAN affected (that I know of so far). SonicWall logs report files blocked, including daytime but also some after hours. Kapersky found nothing. I'm running full Defender to see if there could be something running that's calling this alleged trojan.

My best guess is a Windows Update is being blocked. I don't know why only two workstations show up, because presumably all would be getting the same updates (not using WSUS here). I'm pretty noob generalist, learning on the fly.

Sources of this alleged Trojan include

AS20940 - Akamai International B.V. (sometimes other Akamai ASNs), 23.200.156.135

AS15133 - Edgecast Inc., 72.21.81.240

AS54113 - Fastly, Inc. 146.75.42.172
and similar ASNs. I didn't know that Fastly was hosting Microsoft Updates, but it seems to be the same file and timing.

AS62866 - OHIO IX which has the hostname of microsoft-cache01.ohioix.net and seems to be doing the same. 134.195.207.8

I listed a few IPs above that were logged as source, but other IPs on the same ASNs are also logged.

the latest alert in my Logs is this, if the precise time helps

16:57:26 Jun 27 809 Security Services Alert Gateway Anti-Virus Alert: Sality.AT.gen (Trojan) blocked. 23.200.156.135, 80, X1 10.10.19.9, 63806, X0

WHAT SHOULD I DO? Sality.AT.gen is very serious malware, but I am guessing that these 4 companies are not hosting or pushing this malware. On the other hand, my machines are likely missing important Windows Updates.

Category: Firewall Security Services
Reply
Tagged:

Best Answer

  • Options
    CORRECT ANSWER
    Gary_Goodman60Gary_Goodman60 Newbie ✭
    edited June 28 Answer ✓

    This comment is actually #3 under my initial post - comment #0 - if you wish to read my progression thru comment #1 and comment #2 before this last comment. Hopefully this is the last comment on this issue.

    _________

    I installed Security Update for Microsoft OLE DB Driver for SQL Server (KB5037572) on user workstation. I think GWAV alerts may have (or not) continued a bit for that IP address.

    I also installed Dell BIOS update and TPM update and Intel Graphics manual download.

    The last GWAV alert I received from that workstation was 06/27/2024 21:44:55. It is now 06/28/2024 03:49:14 so I think the problem is resolved.

    This means that the Sality.AT.gen (Trojan) blocked by GWAV was — most likely, unless this recurs later — SU for MS OLE DB Driver for SQL Server (KB5037572).

Answers

  • Options
    Gary_Goodman60Gary_Goodman60 Newbie ✭

    I found one other ASN that I don't recognize as being a Windows Update host

    15:25:10 Jun 27 809 Security Services Alert Gateway Anti-Virus Alert: Sality.AT.gen (Trojan) blocked. 208.111.186.128, 80, X1 to 10.10.19.9, 63223, X0

    also 208.111.186.0, 80, X1 to 10.10.19.9, 63222, X0

    That is AS22822 - Limelight Networks, Inc.

    https-208-111-186-128.mdw.llnw.net

    Feedback welcomed.

  • Options
    Gary_Goodman60Gary_Goodman60 Newbie ✭

    looking at Event Viewer, one possible source of GWAV Alert was

    Faulting application name: ECDBWM.exe, version: 2.0.173.0, time stamp: 0x60f5f6ac
    Faulting module name: RPCRT4.dll, version: 10.0.22621.3672, time stamp: 0x1caf5f33

    the above happening frequently throughout the day.

    Dell Optimizer and ExpressConnect (ECDBWM.exe) (by Rivet Networks) — I removed both upon finding such advice on Reddit support forums, as I suspected I would. A few months ago, Dell SupportAssist was causing workstations to intermittently peg at 98% CPU, with many strange effects for random workstation users.

    I will check if those GWAV Alerts stop.

    One 2nd issue, possible cause: I noticed in Windows Update, Security Update for Microsoft OLE DB Driver for SQL Server (KB5037572) failed once and sits at 0% when I activated it. I downloaded the MSI directly and will try to install later.

Sign In or Register to comment.