Topic Thread

Expand all | Collapse all

Virus policy false positive

  • 1.  Virus policy false positive

    Posted 06-17-2018 21:05

    Hi all. For two weeks have been picking up false positives on windows updates, Cant whitelist certain IPs with the virus feature on the firewall policy, any ideas on how to mitigate?

     

    Message meets Alert condition
    Virus/Worm detected: Protocol: "HTTP" Source IP: 192.168.xxx.xxx
    Destination IP: 8.247.248.249 Email Address From: Email Address
    To: VIRUS REFERENCE URL:
    date=2018-06-18 time=08:59:22 devname=xxxxxx devid=FG100E4Q17006469 logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="root" eventtime=1529305162 msg="File is infected." action="blocked" service="HTTP" sessionid=72527335 srcip=192.168.xxx.xxx dstip=8.247.248.249 srcport=54879 dstport=80 srcintf="port1" srcintfrole="lan" dstintf="WAN LINK OUT" dstintfrole="wan" policyid=29 proto=6 direction="incoming" filename="26773177_129255bcafdf28ba563f60069f60029783bd29f9.cab" quarskip="File-was-not-quarantined." url="http://download.windowsupdate.com/d/msdownload/update/others/2018/06/26773177_129255bcafdf28ba563f60069f60029783bd29f9.cab" profile="default" agent="Windows-Update-Agent/10.0.10011.16384" analyticscksum="b335f5cacec2a70f99aff42470beeb60ee60bad85686640ed04529a60244b0ef" analyticssubmit="true" crscore=50 crlevel="critical"



  • 2.  RE: Virus policy false positive

    Posted 06-17-2018 23:07

    Hi,

    You can configure a firewall policy to allow access to windows update servers and move the policy to the top of the policy list.

    You need to create FQDN address object for the following FQDN's.

    download.microsoft.com
    windowsupdate.com
    windowsupdate.microsoft.com
    download.windowsupdate.com
    update.microsoft.com

    Configure firewall policy without authentication

    From interface Internal to destination Interface External but limit the destination address to a group containing Microsoft update FQDN's

    And move the policy to top of the policy table.


    Regards,

    Deepak Kumar

    NSE4



  • 3.  Virus policy false positive

    Posted 06-17-2018 23:19
    Incredible thanks very much…


    Kind regards

    Marc de Jager
    M : +27 72 318 4607
    O : +27 11 474 2245
    From: Deepak Kumar, Network Admin via Firewall: