This is just a log entry stating that the firewalls Gateway Anti virus blocking a connection from source 23.60.159.57, 80, X4 to destination 192.168.0.167, 57762, X0 as it detected Agent.FL (Trojan) which matched a cloud id (Cloud Id: 82586309). It was blocked at the firewall and didnt reach that PC.
Was a user using the PC at this time? Were they trying to access a program or clicked a link on a website? Was it something legit? If you know its legit and a false positive, please report it on our portal:
Hello Tony. This started on Sunday night around 6:30PM EST. The alert messages came from two PC's on my local network. I remotely shut off both PC's at 9:00PM EST. The next morning I went about analyzing the systems to see if I could discover anything out of the ordinary. When the 192.168.0.167 PC was turned on it immediately started generating these Agent.FL (Trojan) alert messages again. The second PC did not generate any alert messages after booting up. After about an hour or so the 192.168.0.167 PC stopped generating these messages. There was no user activity occurring on either PC on Sunday night. Nor was there any user activity occurring yesterday during the time I was analyzing the systems.
The IP 23.60.159.57 is located at Akamai and this CDN is often used by Microsoft, so my best guess it's triggered by a Windows Update and probably a False/Positive as @PJB suspected.
Maybe you can update this Endpoint manually to figure out which update package triggers the event.
Thank you BWC. I did trace that IP back to Akamai but did not know that Microsoft used that datacenter. I'll try to check the logs on that PC to see if it has any indication of an update.
@pjb , if you continue to receive these log entries and windows update is being blocked, please create a web ticket or give a call to our support team so they can get in touch with our GAV signature team to look into this false positive.
Hi @pjb, make sure you enable log Virus URI in the diag page, this will when show in the logs the location where it came from,the filename, and also the cloud signature you can then rule out if it is a false positive and add the Cloud ID signature to the Cloud AV exceptions,
with any luck SonicWall may eventually enable this by default as I've been asking for years as it would have helped you out straight away in troubleshooting the issue. as you would have seen it was a windows update in the log.
Thank you for the information Preston and Tonya. The logs did show an update at the time and these notifications did stop. I'm pretty comfortable with the assessment that this was a false-positive.
Answers
Hi @pjb
This is just a log entry stating that the firewalls Gateway Anti virus blocking a connection from source 23.60.159.57, 80, X4 to destination 192.168.0.167, 57762, X0 as it detected Agent.FL (Trojan) which matched a cloud id (Cloud Id: 82586309). It was blocked at the firewall and didnt reach that PC.
Was a user using the PC at this time? Were they trying to access a program or clicked a link on a website? Was it something legit? If you know its legit and a false positive, please report it on our portal:
How can I report false positives or Virus/Trojan/Malware samples to the Gateway AntiVirus team? | SonicWall
Hello Tony. This started on Sunday night around 6:30PM EST. The alert messages came from two PC's on my local network. I remotely shut off both PC's at 9:00PM EST. The next morning I went about analyzing the systems to see if I could discover anything out of the ordinary. When the 192.168.0.167 PC was turned on it immediately started generating these Agent.FL (Trojan) alert messages again. The second PC did not generate any alert messages after booting up. After about an hour or so the 192.168.0.167 PC stopped generating these messages. There was no user activity occurring on either PC on Sunday night. Nor was there any user activity occurring yesterday during the time I was analyzing the systems.
The IP 23.60.159.57 is located at Akamai and this CDN is often used by Microsoft, so my best guess it's triggered by a Windows Update and probably a False/Positive as @PJB suspected.
Maybe you can update this Endpoint manually to figure out which update package triggers the event.
--Michael@BWC
Thank you BWC. I did trace that IP back to Akamai but did not know that Microsoft used that datacenter. I'll try to check the logs on that PC to see if it has any indication of an update.
Good Catch @BWC !
@pjb , if you continue to receive these log entries and windows update is being blocked, please create a web ticket or give a call to our support team so they can get in touch with our GAV signature team to look into this false positive.
Hi @pjb, make sure you enable log Virus URI in the diag page, this will when show in the logs the location where it came from,the filename, and also the cloud signature you can then rule out if it is a false positive and add the Cloud ID signature to the Cloud AV exceptions,
with any luck SonicWall may eventually enable this by default as I've been asking for years as it would have helped you out straight away in troubleshooting the issue. as you would have seen it was a windows update in the log.
Thank you for the information Preston and Tonya. The logs did show an update at the time and these notifications did stop. I'm pretty comfortable with the assessment that this was a false-positive.