you are using SMB file sharing on your internal systems. Sonicwall blocks 23803857 virus id on the cloud db. Please search to 23803857 keyword via logs
Please go to Security Services/ Gateway AV/ on the HTTP protocol will show pen icon and edit. after appear window and deselect multicomprised zip file.
Hi @Chojin , the image is from the Event Logs page, regarding the CPU this will increase a bit I presume, as with any extra feature enabled but you can check to see how much and you can also change the log redundancy and make sure the log events screen refresh is set to something like every 2 mins not like the last 24 hours as this will put load on the appliance.
@preston thanks I will have a look at the cpu comsumption . i ll have a look at the log redundancy..currently it is at 60 sec (Global Log Redundancy Filter Interval). Regarding the Image we usually use the GMS for checking GAV and so on. So I may have to check where I can find the fielname there.
This is not multizip problem. this is cloud AV is blocking your update file. you should exclude from Cloude AV on firewall "Security Services/Gateway Antivirus/Cloud AV DB Exclusions Settings"
AMCOREDAT2000 file is Macafee update file.
I think you should create Update server for Macafee and only this Update server add to GAV exclude list.
@MitatOnge : Thanks for your advise. It would help a lot to know which file (its smb/fieltransfer traffic) was blocked here. And the question is how may I be able to see this in the GMS. I suggest its a false positive so blocking this file would lower the users "user experience" or even stop something from working.
Dont get me wrong its fine that the Sonicwall detects something and blocks it. But if i get to know the file (or files) I could investigate and possibly upload the file to sonicwall to whitelist it.
Found out Capture ATP is the first service to intercept files. And this service does log the filename. If the file is subsequently blocked by GAV due to be a multi-compresed ZIP-file, I can look down the log a couple of entries to get the filename and address it came from:
Still a bit cumbersome - there should be a more easy way?
You did look into the "local" log of the Sonicwall, not the GMS log, right?
We usually dont work with the local log since it means to check every Sonicwall for itself thats why we bought the GMS. but maybe there is a chance to forward this via logging and syslog? but where to find it aftwerwards on the gms and would this lead in to much "information flow" to the gms
Answers
Hi Chojin, make sure the below is enabled in the diag page, it will show then for future threats detected
Hi @preston ,
thanks will enable this on all Sonicwalls and check GMS afterwards, when there are new thread entries.
I have the exact same question: Gateway Anti-Virus Alert: Multi-compressed ZIP/GZIP file blocked — SonicWall Community
I switched on "Log virus URI" but alas, without result. Surely there must be a way to figure out what files are tried to download?
Simon
I ll check this.
What i can say that the uri option did not solve my issue with the local smb transfer block. Still dont know which file was blocked.
@Chojin , see the other post here
https://community.sonicwall.com/technology-and-support/discussion/3583/gateway-anti-virus-alert-multi-compressed-zip-gzip-file-blocked#latest
Hi @Chojin
you are using SMB file sharing on your internal systems. Sonicwall blocks 23803857 virus id on the cloud db. Please search to 23803857 keyword via logs
Hi thanks for the updates will check.
the log virus uri somehow seems to show something sometime, but i havent found out what the trigger is.
@preston : I checked the seeting in App Control. Its activated and count is Zero (0)
my bad I must have been blind:
I ll enable "Enable Filename Logging" now.
Do you know if this will increase CPU usage
ok now i have the first GAV Event:
can you tell me where this screenshot is from:
since I dont see this
Hi @Chojin
Please go to Security Services/ Gateway AV/ on the HTTP protocol will show pen icon and edit. after appear window and deselect multicomprised zip file.
best regards.
Hi @Chojin , the image is from the Event Logs page, regarding the CPU this will increase a bit I presume, as with any extra feature enabled but you can check to see how much and you can also change the log redundancy and make sure the log events screen refresh is set to something like every 2 mins not like the last 24 hours as this will put load on the appliance.
@MitatOnge : Hi thanks for the advise, but that wont help to view which file was blocked. That would just not block/restrict compressed files.
@preston thanks I will have a look at the cpu comsumption . i ll have a look at the log redundancy..currently it is at 60 sec (Global Log Redundancy Filter Interval). Regarding the Image we usually use the GMS for checking GAV and so on. So I may have to check where I can find the fielname there.
first sucess in the gms syslogs -> gateway antivirus view:
But not for this entry:
thats a smb (port 445) event:
and this is the entry in the Analyzer -> log analyzer
@Chojin , what version of GMS are you using? I'll have to take a look here
@preston : Version 9.3
@Chojin
This is not multizip problem. this is cloud AV is blocking your update file. you should exclude from Cloude AV on firewall "Security Services/Gateway Antivirus/Cloud AV DB Exclusions Settings"
AMCOREDAT2000 file is Macafee update file.
I think you should create Update server for Macafee and only this Update server add to GAV exclude list.
Hi Mitatonge, thanks for the advise....its fine since this is a isolated internet only network also for guests.
The original issue is that i dont which file was blocked here:
smb traffic
Hi @Chojin
1) Src Interface is X0 , is it isolated guest network?
2) traffic is going to X0 to X6. "Filecoder_DN10" is ransom virus. please check the source system with SentinelOne and Kaspersky and ESET.
3) I think some viruses want to access to other pcs.
@MitatOnge : Thanks for your advise. It would help a lot to know which file (its smb/fieltransfer traffic) was blocked here. And the question is how may I be able to see this in the GMS. I suggest its a false positive so blocking this file would lower the users "user experience" or even stop something from working.
Dont get me wrong its fine that the Sonicwall detects something and blocks it. But if i get to know the file (or files) I could investigate and possibly upload the file to sonicwall to whitelist it.
Found out Capture ATP is the first service to intercept files. And this service does log the filename. If the file is subsequently blocked by GAV due to be a multi-compresed ZIP-file, I can look down the log a couple of entries to get the filename and address it came from:
Still a bit cumbersome - there should be a more easy way?
@Simon_Weel if you temporarily disable CATP you will see it is still shown in the logs when the GAV detects it
You did look into the "local" log of the Sonicwall, not the GMS log, right?
We usually dont work with the local log since it means to check every Sonicwall for itself thats why we bought the GMS. but maybe there is a chance to forward this via logging and syslog? but where to find it aftwerwards on the gms and would this lead in to much "information flow" to the gms