Getting a bunch of Gateway AV alerts in the last half hour - sig 22097568
solmssen
Newbie ✭
Gotten this from two machines in the last half hour, searching the SW sig database shows no results.
09/21/2022 22:24:21 - 809 - Security Services - Alert - 68.142.107.4, 80, X1 - 192.168.1.68, 56574, X0 - Gateway Anti-Virus Alert: (Cloud Id: 22097568) Dropper.GEN (Trojan) blocked.
virus scans on the machines are clean, and the three sets of alerts are to CDNs:
68.142.107.4 is limelight.com
72.21.81.240 is edgecast.com
209.197.3.8 is stackpath.com
This feels like a false positive to me? Any other users seeing this? Any thoughts?
Category: Firewall Security Services
Tagged:
0
Answers
@solmssen I checked a few instances and wasn't able to see these specific detections. Did you activated the logging of the URI to figure out what caused this? With this information you could download the file and provide it or the URL to VirusTotal for a 2nd opinion.
It might be a false positive and can be excluded for the time being after more research.
--Michael@BWC
Hi - this is a TZ350 running OS 6.5.4.11-97n. I'm not clear where to enable this feature, if it's available. I looked all through the Gateway AV settings. I did dual post on reddit, I was hoping for responses and to get this into google if others are searching. I appreciate your response very much.
@solmssen you have to activate this option in the Internal Settings of your Firewall.
Get into the internal settings (shown below) and activate "Log Virus URI" in the Security Services section. Please don't mess around with the other settings, they are not documented publicly and can cause a lot of trouble.
--Michael@BWC
Thanks - I found it and enabled it. We'll see for the next time!