Another Round of False Positves

James_H

Hi all,

We are seeing MS Update for Windows Defender Antivirus - KB2267602 marked as a Trojan…. AGAIN… this time marked as Gateway Anti-Virus Alert: (Cloud Id: 57664294) AvKill.HBB (Trojan).

Couple of Source IPs:

217.20.54.37 - Qwilt Inc

199.232.210.172 - Fastly

Both of these are CDNs used by MS.

This isn't the first time we have seen this KB marked as a threat. Any chance anyone else out there is having the same issue?

It's a problem because we update servers in the evening, and the update never downloads, so our techs are waiting for it when they should be getting some much needed sleep.

Ajishlal

@James_H

which Firewall model are you using?

I am also facing this same issue but its happening on Gen 5 model.

James_H

Hi Ajishlal,

We see it on TZ470 and TZ370 models. We opened a case with SonicWall and they recognized the issue as a false positive and were going to update the definitions to include this update. It's highly likely that future releases of this MS update will keep causing the alert. I think all we can do is continue to let SonicWall know when it's happening and they can vet out the "updated" update and add it to the white lists as they see fit. The only real solution here would be Microsoft communicating with other businesses when they are releasing updates so everyone else in the world has time to react. Unfortunately, that will probably never happen. No money in it for them. :(

James_H

Here's our solution to the tech's issue of having to wait until the updates fail.

1. Set up a shared mailbox in exchange for all our techs.
2. Set the firewalls to email alerts to this shared mailbox.
3. Now when the techs run updates, if the update triggers an alert, at least they know it's happening and can skip the updates on those servers for the night.

No ideal, but solves the bigger problem for us.