Gateway Anti-Virus Alert (Cloud Id: 13263444)
Advise
Newbie ✭
Guys, this morning this alert appeared in my report "Gateway Anti-Virus Alert: (Cloud Id: 13263444) Kryptik.AYPY (Trojan) blocked". It's pointing to two new machines that we put on the net yesterday. I didn't find information about what this "Kryptik.AYPY" might be. Can you help me understand what this is?
Category: Firewall Security Services
2
Answers
In relation to security, I removed the two machines from the network. But I don't understand what this "Kryptik.AYPY" is.
I would like to know as well.
We have the exact same GAV alert from multiple sources and destinations. We've checked with third party scanners with no result, and one of the affected machines is a brand new Lenovo T14s. It seems to come and go.
The log entry is extremely unhelpful, the best you get is a source and destination. The source IPs tend to be owned by Akamai or other CDNs. So far I've got:
8.246.0.126
8.246.65.254
8.252.191.254
8.252.42.126
23.38.166.131
23.38.166.186
23.38.166.200
23.38.166.201
23.38.166.202
23.38.166.203
23.46.172.8
23.46.172.16
23.203.248.43
23.203.248.25
60.254.148.25
60.254.148.138
60.254.148.208
111.119.8.1
117.121.252.192
And a bunch more.
I'm guessing false positive, but I don't know how to confirm.
Based on your answer I believe it to be a false positive yes. Because we know that Akamai is a company used by big developers to distribute their update packages to customers. If in your analysis you were able to identify Akamai servers, it is very likely that it is something that has happened before and that we should just ignore. The problem is that the way SonicWall reports this traffic is confusing and makes me believe it's a bad thing.
If it is really a false positive, we can adopt the solution of this other forum that dealt with something very similar before.
https://community.sonicwall.com/technology-and-support/discussion/3825/anti-virus-alert-cloud-id-29060692-starter-y-trojan-blocked-another-false-positive
We also saw these same alerts for numerous machines on our LAN on a couple of days last week.
All windows 10 devices.
The IP ranges tie back to akamai and limelight networks (CDN).
In each case the IP can be resolved back to genuine windows update servers.
We were initially concerned it may be related to this:
https://www.bleepingcomputer.com/news/security/fake-windows-10-updates-infect-you-with-magniber-ransomware/
As this file is also identified as "Kryptik" by fortigate.
However, we are now less concerned based on the CDNs and IPs used being genuine (MS endpoints).
Can somebody from Sonicwall confirm if this is a false positive?
It would be great if someone from SonicWall could give us some information.
I know what caused this for me, but the only reason I saw it because it corresponded to what I was working on. Scenario: we had a dead laptop, decided it was unrecoverable. We took out the NVMe drive and put it in an HP workstation with an NVMe PCI adapter. The moment we fired up the machine we started getting a steady stream of Cloud id: 13263444 alerts. The workstation in question is a development/test machine and is typically off and is not used for any web activity. There were no identified issues but are confident the issue was caused by Bitlocker. The NVMe drive was encrypted and as soon as we entered the Bitlocker key all of the alerts stopped. We also decrypted the drive as part of the process and we never received another alert.
I hope that helps, we believe that was the cause of the issue. It seemed the alerts were spread out every few minutes, but we would get a barrage of alerts back to back.
In my case, we don't have BitLocker as a computer encryption solution. It was really strange what happened on this day when I opened this discussion. We didn't have more reports of this same item, but sometimes others with different names appear.
I strongly believe that it is something coming from Microsoft for distributing updates and our Firewall understands it as an attack.
@Advise, see here to find out more info about what the file is, IMO this should be enabled by default.
https://www.sonicwall.com/support/knowledge-base/how-to-get-the-uri-associated-to-the-viruses-being-blocked-by-sonicwall/220317131216557/
I have now enabled this option on my appliance.
Should the details come in the report?
Advise, if you mean the logs sent via email then yes it should be in there and the event log itself