The Sophos Community will be offline for scheduled maintenance this Saturday, May 27th, at 13:00 UTC for approximately 1 hour. Apologies for any inconvenience caused.


"Wanna" ransomware outbreak. Please see this Sophos article for advice on how to protect your organization. Immediate action recommended.

Sonicwall flagging Sophos update traffic as a "Agent.FL (Trojan)" in their Security Services anti-virus

Good day.  It took me a bit to track this down, so allow me to provide you my information on this so you don't just have to take my word on it.

A few weeks back, I started seeing log entries in my Sonicwall (Yes...I use a Sonicwall SOHO at home...it's complex, but it's great when you have teenagers for content filtering) that were flagging traffic from some of my computers (the Windows 10 systems) as being blocked because it appeared to be "Agent.FL (Trojan)" traffic.

I was 99% certain it wasn't a virus but I was also having some minor updating issues for Sophos Home on those clients, so I began to worry about a virus being hidden and blocking the updates on the systems.  I did many scans of each system with several different A / V clients, then looked for patterns in the log files. After a few minutes of examining logs, I saw that once per hour I was seeing items like this in the log:

****************

09/05/2016 16:03:35 - 809 - Security Services - Alert - 192.168.120.230, 59324, X0 - 208.111.131.31, 80, X1 - Gateway Anti-Virus Alert: (Cloud Id: 37367020) Agent.FL (Trojan) blocked.

****************

The port numbers were moving targets, the external address was at "Limelight" (which was just a file hosting service), and there were several entries every time it happened, meaning it was following the standard of using a dynamic port and it was only happening over a few seconds each time.  I finally had the time to dig in today and decided to use the netstat command to see if I could catch my culprit in the act.  I used Netstat to dump the information every second to a text file during the target time that matched the pattern, let that run for a while, and then watched my firewall for the entries to appear.  At the appointed time (on the nose) the firewall flagged the traffic:


***************

09/05/2016 16:03:35 - 809 - Security Services - Alert - 192.168.120.230, 59324, X0 - 208.111.131.31, 80, X1 - Gateway Anti-Virus Alert: (Cloud Id: 37367020) Agent.FL (Trojan) blocked.

09/05/2016 16:03:35 - 809 - Security Services - Alert - 192.168.120.230, 59323, X0 - 208.111.131.31, 80, X1 - Gateway Anti-Virus Alert: (Cloud Id: 37367020) Agent.FL (Trojan) blocked.

09/05/2016 16:03:34 - 809 - Security Services - Alert - 192.168.120.230, 59322, X0 - 208.111.131.31, 80, X1 - Gateway Anti-Virus Alert: (Cloud Id: 37367020) Agent.FL (Trojan) blocked.

09/05/2016 16:03:34 - 809 - Security Services - Alert - 192.168.120.230, 59321, X0 - 208.111.131.31, 80, X1 - Gateway Anti-Virus Alert: (Cloud Id: 37367020) Agent.FL (Trojan) blocked.

09/05/2016 16:03:34 - 809 - Security Services - Alert - 192.168.120.230, 59319, X0 - 208.111.131.31, 80, X1 - Gateway Anti-Virus Alert: (Cloud Id: 37367020) Agent.FL (Trojan) blocked.

***************

Then I checked my Netstat log and found the corresponding entries (tracked it down by the same port numbers):

  TCP    192.168.120.230:59318   https-208-111-131-31.atl1.llnw.net:http  ESTABLISHED     6952
 [SophosUpdate.exe]
  TCP    192.168.120.230:59319   https-208-111-131-31.atl1.llnw.net:http  LAST_ACK        6952
 [SophosUpdate.exe]
  TCP    192.168.120.230:59320   https-208-111-131-31.atl1.llnw.net:http  ESTABLISHED     6952
 [SophosUpdate.exe]
  TCP    192.168.120.230:59321   https-208-111-131-31.atl1.llnw.net:http  LAST_ACK        6952
 [SophosUpdate.exe]
  TCP    192.168.120.230:59322   https-208-111-131-31.atl1.llnw.net:http  LAST_ACK        6952
 [SophosUpdate.exe]
  TCP    192.168.120.230:59323   https-208-111-131-31.atl1.llnw.net:http  LAST_ACK        6952
 [SophosUpdate.exe]
  TCP    192.168.120.230:59324   https-208-111-131-31.atl1.llnw.net:http  SYN_SENT        6952
 [SophosUpdate.exe]

...and, Bingo.  Found the match.  It was SophosUpdate.exe that was being flagged as a false positive by Sonicwall.  That explained everything.  The reason some clients weren't updating was that the Sonicwall was blocking the updates and the regularity of the issue was that Sophos was trying to pull updates once per hour.

I realize this won't affect the vast majority of home users due to most folks not having gateway antivirus, but I didn't want to have discovered that Sonicwall doesn't like your updates without bringing it to your attention for you to address with Sonicwall.

My workaround will be to not block that Trojan signature for the time being, but if you could respond and let me know if / when you get this straightened out with Sonicwall, it would surely be appreciated.  I'm not keen on whitelisting potential virus signatures (even though that one is not that common).


Best regards.

  • Just a quick follow-up.

    First, there was one additional "Cloud ID" I had to whitelist to get this working.  "Cloud ID: 37303601" with the same basic description..."Agent.FL (Trojan)".  Once that one and the first one I mentioned were whitelisted, the system then allowed the updates to proceed without intercepting them.  The second one didn't show up until after I'd whitelisted the first one.

    Also, note that the whitelisting of them was through the "Cloud Antivirus Database" service that Dell / Sonicwall uses on their devices and not the built-in databases.  This may not be a problem on users who have elected to not use the Cloud AV service (but it's included, so most probably do).  See details here: http://help.mysonicwall.com/sw/eng/6005/ui2/25800/gavCloudExclusions.html

    The updates are now working flawlessly and even Dell mentioned that with with Cloud AV service, there could be a higher number of false positives due to there being a lot more virus patterns (supposedly something like 44 million virus patterns in their Cloud AV service database).

    Again, I wanted to bring this to your attention so that you might be able to address this with Sonicwall to get your software removed from their recognition patterns.

    There may be nothing you can do, but if not, then hopefully this may help someone else who might be experiencing an issue.

    Best regards.

  • I can confirm that. Moving to Sophos all clients results in NSA 3600 CloudAV intercept many Agent.Fl signature that we still need to exclude.

  • In reply to Mauro Marazzi:

    Mauro,

    Thanks!  It's good to have secondary confirmation on this.  It's been a ongoing issue (kind of a "moving target").  I'm loathe to just turn off that function in the firewall, but it's frustrating when it sends a flood of notification emails to me over this.  I've pretty much learned to deal with it.

    Sonicwall says that their product is doing it's job and I'm not sure this is even something that Sophos can address.

    Thanks for the confirmation!

    -Scott

  • In reply to ScottMcBride:

    Hi  

    Are you still facing issue with the latest installer? 

  • In reply to Aditya Patel:

    Aditya,

    Thanks for responding!

    Yes.  It comes in "waves" where it doesn't happen for a couple of weeks, then I will see this happen a lot of times in a row.

    I end up having to whitelist about 6-12 Cloud AV profiles for "Agent.FL (Trojan)" before the issues go away for a while....however it always comes back after three or four weeks.

    It's like figurative clockwork.  Every hour at the exact same time, this traffic will get flagged by the Sonicwall.  I whitelist whichever Cloud AV is flagging it, then wait an hour, do it again for the next until it stops.

    If there's any additional information I can provide to help with this, I'm happy to do so (e.g. firewall logs, Cloud AV info, etc...).  I'd truly like to see a solution to this as the company I work for is a Sonicwall partner and we also recommend Sophos to our clients when it's appropriate...I just don't want to introduce an "unknown" into their environment.

    Regards,

    Scott

  • In reply to ScottMcBride:

    Scott,

     

    I have been struggling for a couple months on finding why Sophos installs were failing.  This only occurred at a couple of our locations.

    I ended up calling SonicWALL support on a different issue yesterday and came across the same thing you found.

    I worked with the SonicWALL tech on adding exclusions for the IP/Web addresses for Sophos. I will explain what we did, if you would like more detail let me know.

    Under Gateway Anti-Virus tab click "Configure Gateway AV Settings"

    Check "Enable Gateway AV Exclusion List" -- You now have to create an address object to select in the "Use Address Object" drop down.

    Under Network > Address Objects create a new object.

    Name: Sophos d1.sophosupd.com [Or whatever you want it to be]

    Zone Assignment: WAN

    Type: FQDN

    FQDN Hostname: d1.sophosupd.com

    **Also add d2.sophosupd.com, d3.sophosupd.com, dci.sophosupd.com

    Under Network > Address Objects select the Address Group tab and create a new group

    Name it "GAV Exclusion Group" [Or whatever you want it to be]

    Add all the address objects previously created to the group

    Return to Gateway Anti-Virus > "Configure Gateway AV Settings"

    Select Address Object "GAV Exclusion Group" [Or whatever you ended up naming it]

     

    Doing this will prevent you from making your network vulnerable to the specific signatures from other sources.  

    You can add address objects for as many FQDN sites or IP addresses as required.  I also added 69.28.157.155 because that is where my agents were trying to update from, and none of the FQDN were resolving to that address.  Your logs show the IP 208.111.131.31 being blocked, you may want to add this as an address object.  This site lists possible FQDN and IP that should consider adding: https://community.sophos.com/kb/en-us/111428

     

    Pat

  • In reply to Patrick Rost:

    Pat,

     

    That's outstanding information.  I will make these changes tonight and update this thread if it doesn't return after a few weeks.

    Thanks for passing this information along.  Hopefully this thread will help others that might be seeing the same issues.

    I truly like my Sonicwall and I'm also a huge fan of Sophos...I wasn't keen on the idea of giving either of them up.

    Regards!

    Scott

  • In reply to ScottMcBride:

    Does GAV exclusions work for Cloud antivirus engine too?

  • In reply to Mauro Marazzi:

    Mauro,

    I'm not a Sonicwall employee or engineer, but I've got decent experience with their firewalls around the products I work with.

    It's been my experience that the GAV and the Cloud AV are separate databases needing different exclusions.

    However, a Sonicwall engineer may be able to provide better insight.

    Good luck!

  • In reply to Mauro Marazzi:

    I believe if you configure an exclusion list by IP/FQDN like in my previous post, Cloud AV is included.  I do not see an additional place to add IP/FQDN for Cloud AV.

    They do definitely have different signature databases though.  On the Gateway Anti-Virus tab there is a "Cloud AV DB Exclusion Settings" option.  This is the way to add signatures to the cloud exclusion list.  If you are trying to exclude a signature from the hardware signature list you have to search for it and un-check it from the list.

    The Cloud AV Signature ID required here can be found under Log > Log Monitor.  Easiest way to filter out Cloud Anti-Virus entries is by clicking on the "+" in the upper left and then from the "Category" filter select "Security Services."  Leave all of the other options at default.  Make sure you change "Display" from "Last 5 minutes" to "All Entries" or the time frame you would like.

     

    Scott, did my previous post work for you?

     

    Pat

  • In reply to Patrick Rost:

    Pat,

    Thanks for filling us in on that.

    I have to apologize...I've not had the time to make the changes to my device yet to test, but from reading your post I'm confident that if it doesn't solve it completely that will get me much closer.

    I plan on making the changes this weekend and will update this thread with the result.

    Regards,

    Scott