Menu

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sign In Register

BHO.CJQF (Trojan) Alerts

jtpryanjtpryan Newbie ✭
in Entry Level Firewalls

TZ270 SonicOS 7.1.2-7019

I am suddenly getting a rash of these:

image.png

The destination is our DC server LAN address. The message is always the same. The port number always starts with 55 and the last 3 digits seem to randomly change.

I'm not really sure what to do with this, as it is getting blocked.

What I don't like is the fact it has the ip address of the internal server. Typically the target is our outside (external) address.

The source IP's do change.

Advice?

Category: Entry Level Firewalls
Reply
Tagged:

Best Answer

  • CORRECT ANSWER
    jtpryanjtpryan Newbie ✭
    Answer ✓
    Sounds good, thanks for the help.

Answers

  • James_HJames_H Newbie ✭

    Hey there,

    We are seeing hundreds of these false positives over the last two days. Started late night on Feb, 3rd 2025. Pacific Time Zone.

    We have tied them to this Windows Update: Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.421.1696.0) - Current Channel (Broad)

    It's happening at all of our 5 offices and is mostly a nuisance at this point.

    This is pretty common for the SonicWall to identify a Windows update as a Trojan or other malicious payload. I wish I new a good place to report them to so SonicWall could push out an update.

    The source IPs are resolving to common CDNs and the destination IPs are our Windows workstations and servers.

  • jtpryanjtpryan Newbie ✭

    Right, Thank you. I still don't like the reference to our Domain Controller internal IP though. How do they even get that?

  • James_HJames_H Newbie ✭

    Your computer likely initiated the communication by reaching out for an update. If you look in the Settings under Windows Update, do you see the update listed there? Is it showing Downloading - 0% ?

  • jtpryanjtpryan Newbie ✭
    edited February 5

    @James_H Interesting, Yes I do:

    Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.421.1696.0) - Current Channel (Broad)

    Status: Download error - 0x80d02002

    So does this mean I should not use that update? Hide it?

  • eneufeneuf Newbie ✭

    I am getting hundreds of these each day beginning yesterday, all pointing to the same internal IP address (a user PC W11).

    Will the Windows update, once applied, make this nuisance go away?

  • James_HJames_H Newbie ✭

    In my experience, this lasts a couple of days and then SonicWall will send out an update for their definitions. After this, the update will succeed and you won't see the errors any more. I would say, don't use the update until SonicWall clears it. Just in case.

    You could force it through yourself, but I wouldn't risk it.

Sign In or Register to comment.