Suposed infected hosts ?
johnbor
Newbie ✭
Using a Sonicwall TZ 370 and when going to the main page under the Insights to the top right I see it showing 2 infected hosts in red when I click on that I see the 2 IP’s of the computers affected. Then clicking on that brings up the virus name. Now keep in mind I looked up the virus name and think it’s a false alarm BUT NOT sure all though I ran many antivirus programs on these computers including Malwarebytes and all comes back clean. So My questions are
What are these if not on the computers ?
How do I reset the Red counter back to 0 (Zero) on the main page ?
I have included pictures.
Category: Entry Level Firewalls
0
Answers
@johnbor
I'm stumped, because this is ALL that SonicWall provides regarding the Insights widget:
But I now believe that you cannot alter this directly.
[Edited after more research]
In my case, I had a Red Alert, Shields Up icon and found are over 500 instances:
I took a look in the System Logs, which shows GAV doing what it is supposed to do:
The source is an Amazon data center, so who knows what is really trying to get to my computer...
So your saying that the threat could be removed already but the Sonicwall keeps the number still there? I think its there way tomake us pay for the SonicWall Cpture client which I do not have, would I be correct?
@johnbor - not necessarily. My log shows that my GAV subscription is blocking this file. I don't use Capture Client.
However, I have SentinelOne Vigilence subscription through an MSSP and I'm running a deep scan now. But honestly, there isn't anything ON my computer. That's because SonicWall is effectively blocking it.
But to answer the base question: I don't know how to "adjust" that number, which probably can only be decremented when the threats stop appearing.
Even though I don't have the time, I'm going to log a Support Case just to find out.
That would be helpfull
@johnbor, Yes indeed it means threats blocked, the warning Notification was highlighted to SonicWall as misleading, we also had customers believing that some how they had infected endpoints, and did all the internal scans alike to find nothing.
if you upgrade your firmware to the latest you will see it has changed to "HOSTS WITH OBSERVED THREATS" which is still a bit misleading as the SonicWall would have no way of knowing if you have Hosts which have been infected, it would make sense if they completely omitted the "HOST" bit altogether and just changed to "OBSERVED THREATS"
Also the fact that if you click the notification it takes you to a page which doesn't show anymore in depth information is pointless and useless and as you found has you looking for something on your endpoints but you don't know what as the information is missing, the best thing to do would be to add in people from SonicWall to the post so they can be aware of the misleading issues and wasted time you and others have spent scanning internal machines after the SonicWall notification sent you on a wild goose chase.
@preston Thank you for this post. This has been driving me nuts! I see the title "Observed Threats" and had been panicking thinking we had a big problem. And yes, then you click to get more info and it gives you nothing useful at all - where are these infections? What hosts? When? Date, time, etc.. nothing to pinpoint what it claims it just saw, and has you thinking that you have machines inside your network that are now infected.
@support @admin
Can SW developers please clean this up? You have the means to be one of the best tools on the market, but setting us up for extremely misleading reporting is of no help at all.