Anti-Virus Alert: (Cloud Id: 29060692) Starter.Y (Trojan) blocked. Another False Positive?
geeksuneek
Newbie ✭
Getting tons of these alerts across multiple Sonicwalls. Anyone else seeing these? Started after 5pm EST. I have no idea yet but assume they are false positives again.
Best Answers
-
CORRECT ANSWERgeeksuneek
Newbie ✭
Seems related to latest Windows Patch Tuesday Updates CDN being falsely flagged as a trojan
0 -
CORRECT ANSWER
Ajishlal
Community Legend ✭✭✭✭✭
Yes this is false positive & this is windows related updates and initiator port is 80 & most of the connections from Akamaitechnologies (CDN).
2 -
CORRECT ANSWER
Micah
SonicWall Employee
TL;DR:
This has been resolved (cloud signature removed). Those still affected need to disable GAV Cloud ID 29060692 as the change may take effect over 24 hours period due to caching.
---------------------------------------------------
All,
I apologize for this inconvenience and I thank you for helping each other out. SonicWall has an official article regarding this event here: https://www.sonicwall.com/support/knowledge-base/gav-blocking-the-latest-microsoft-windows-security-updates-anti-virus-alert-cloud-id-29060692-starter-y-trojan-blocked/220309100253960/
Kind Regards,
@micah - SonicWall's Self-Service Sr. Manager
0
Answers
Microsoft released 71 new patches addressing CVEs in Microsoft Windows and Windows Components, Azure Site Recovery, Microsoft Defender for Endpoint and IoT, Intune, Edge (Chromium-based), Windows HTML Platforms, Office and Office Components, Skype for Chrome, .NET and Visual Studio, Windows RDP, SMB Server, and Xbox. This is in addition to the 21 CVEs patched by Microsoft Edge (Chromium-based) earlier this month, which brings the March total to 92 CVEs.
The number of bugs in each vulnerability category is listed below:
This month's Patch Tuesday includes fixes for three publicly disclosed zero-day vulnerabilities, none of these vulnerabilities were actively exploited in attacks.
The publicly disclosed vulnerabilities fixed as part of the March 2022 Patch Tuesday are:
CVE-2022-24512 - .NET and Visual Studio Remote Code Execution Vulnerability
Thank you for confirming this. How do I shut off the email alerts? I've gotten 300 so far and they keep pouring in.
When I search under "Gateway Anti-Virus Signatures" for Starter.Y or its ID# (29060692), I get no results.
I only want to stop alerts for this false positive, not all alerts.
@Ingoldsby you have to disable Cloud Id 29060692 in the Cloud AV DB Exclusion settings on the Gateway Anti-Virus page.
--Michael@BWC
I'm not finding this ID to disable. Perhaps I am looking in the wrong place. I'm in the NSM at Policy/Security Services/Gateway Anti-Virus/Signatures Tab
I searched by the ID (29060692) and by the term "Starter.Y"
Should I be looking elsewhere?
@SSI I'am not using NSM, but inside LiveDemo I would guess it's there:
--Michael@BWC
Since this is preventing the update from downloading, what should we do about it? Will following the directions above to stop notifications also allow us to download? Update Tuesdays are nothing but headaches now...
@jcurt7492 disabling the Cloud Id will make the download go through.
--Michael@BWC
You have to manually "Add" the exclusion by typing in the number.
Russ
I am not seeing quite the same screen as you are displaying above:
I am searching on the Signatures tab like so:
@SSI Make sure you click on the "Cloud Anti-Virus" link, it's on that screen
Nevermind. I found it. Your image is correct. I missed the Cloud Anti-Virus subtab.
Thanks for this.. I just started getting alerts as well until I added the exclusion
Dittos on the thanks everybody!