This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UBISOFT UPLAY Download of Assassins Creed 4 Black Flag being detected as CXweb/ZAccess-A

So UBISoft currently have Black Flag available for free at the moment. So I thought I would donwload it all 24.93GB of it. Just when I thought it was almost finished the download failed, saying I did not have Internet Access. As my Internet was fine I checked the logs on my UTM (Home license) and noticed the following:

 

2017:12:14-20:38:59 e200utm httpproxy[5809]: id="0056" severity="info" sys="SecureWeb" sub="http" name="web request blocked, virus detected" action="block" method="GET" srcip="x.x.x.x" dstip="2.18.65.115" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_HttProContaInterNetwo (containing XXXXXXX)" filteraction="REF_HttCffDefauConteFilte (Default content filter action B)" size="3070" request="0xdb6bd600" url="uplaypc-s-ubisoft.cdn.ubi.com/.../0E0FA9CE2271D883FCA4F1C59998A167D0781247 referer="" error="" authtime="0" dnstime="24913" cattime="744" avscantime="437369" fullreqtime="1108839" device="0" auth="0" ua="Massgate" exceptions="" category="116" reputation="trusted" categoryname="Games" sandbox="-" content-type="application/x-dosexec" virus="CXweb/ZAccess-A" engine="SAVI"


2017:12:14-20:39:00 e200utm httpproxy[5809]: id="0056" severity="info" sys="SecureWeb" sub="http" name="web request blocked, virus detected" action="block" method="GET" srcip="x.x.x.x" dstip="2.18.65.115" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_HttProContaInterNetwo (containing XXXXXXX)" filteraction="REF_HttCffDefauConteFilte (Default content filter action B)" size="3070" request="0xdb6bd600" url="uplaypc-s-ubisoft.cdn.ubi.com/.../0E0FA9CE2271D883FCA4F1C59998A167D0781247 referer="" error="" authtime="0" dnstime="403" cattime="897" avscantime="426622" fullreqtime="1034505" device="0" auth="0" ua="Massgate" exceptions="" category="116" reputation="trusted" categoryname="Games" sandbox="-" content-type="application/x-dosexec" virus="CXweb/ZAccess-A" engine="SAVI"


2017:12:14-20:39:01 e200utm httpproxy[5809]: id="0056" severity="info" sys="SecureWeb" sub="http" name="web request blocked, virus detected" action="block" method="GET" srcip="x.x.x.x" dstip="2.18.65.115" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_HttProContaInterNetwo (containing XXXXXXX)" filteraction="REF_HttCffDefauConteFilte (Default content filter action B)" size="3070" request="0xdb6bd600" url="uplaypc-s-ubisoft.cdn.ubi.com/.../0E0FA9CE2271D883FCA4F1C59998A167D0781247 referer="" error="" authtime="0" dnstime="583" cattime="597" avscantime="418660" fullreqtime="1373946" device="0" auth="0" ua="Massgate" exceptions="" category="116" reputation="trusted" categoryname="Games" sandbox="-" content-type="application/x-dosexec" virus="CXweb/ZAccess-A" engine="SAVI"


2017:12:14-20:39:02 e200utm httpproxy[5809]: id="0056" severity="info" sys="SecureWeb" sub="http" name="web request blocked, virus detected" action="block" method="GET" srcip="x.x.x.x" dstip="2.18.65.115" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_HttProContaInterNetwo (containing XXXXXXX)" filteraction="REF_HttCffDefauConteFilte (Default content filter action B)" size="3070" request="0xdb6bd600" url="uplaypc-s-ubisoft.cdn.ubi.com/.../0E0FA9CE2271D883FCA4F1C59998A167D0781247 referer="" error="" authtime="0" dnstime="196" cattime="550" avscantime="421622" fullreqtime="1317391" device="0" auth="0" ua="Massgate" exceptions="" category="116" reputation="trusted" categoryname="Games" sandbox="-" content-type="application/x-dosexec" virus="CXweb/ZAccess-A" engine="SAVI"


2017:12:14-20:39:03 e200utm httpproxy[5809]: id="0056" severity="info" sys="SecureWeb" sub="http" name="web request blocked, virus detected" action="block" method="GET" srcip="x.x.x.x" dstip="2.18.65.115" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_HttProContaInterNetwo (containing XXXXXXX)" filteraction="REF_HttCffDefauConteFilte (Default content filter action B)" size="3070" request="0xdb6bd600" url="uplaypc-s-ubisoft.cdn.ubi.com/.../0E0FA9CE2271D883FCA4F1C59998A167D0781247 referer="" error="" authtime="0" dnstime="412" cattime="882" avscantime="429953" fullreqtime="1036475" device="0" auth="0" ua="Massgate" exceptions="" category="116" reputation="trusted" categoryname="Games" sandbox="-" content-type="application/x-dosexec" virus="CXweb/ZAccess-A" engine="SAVI"


2017:12:14-20:39:05 e200utm httpproxy[5809]: id="0056" severity="info" sys="SecureWeb" sub="http" name="web request blocked, virus detected" action="block" method="GET" srcip="x.x.x.x" dstip="2.18.65.115" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_HttProContaInterNetwo (containing XXXXXXX)" filteraction="REF_HttCffDefauConteFilte (Default content filter action B)" size="3070" request="0xdb6bd600" url="uplaypc-s-ubisoft.cdn.ubi.com/.../0E0FA9CE2271D883FCA4F1C59998A167D0781247 referer="" error="" authtime="0" dnstime="483" cattime="903" avscantime="420771" fullreqtime="1627163" device="0" auth="0" ua="Massgate" exceptions="" category="116" reputation="trusted" categoryname="Games" sandbox="-" content-type="application/x-dosexec" virus="CXweb/ZAccess-A" engine="SAVI"


2017:12:14-20:39:06 e200utm httpproxy[5809]: id="0056" severity="info" sys="SecureWeb" sub="http" name="web request blocked, virus detected" action="block" method="GET" srcip="x.x.x.x" dstip="2.18.65.115" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_HttProContaInterNetwo (containing XXXXXXX)" filteraction="REF_HttCffDefauConteFilte (Default content filter action B)" size="3070" request="0xdb6bd600" url="uplaypc-s-ubisoft.cdn.ubi.com/.../0E0FA9CE2271D883FCA4F1C59998A167D0781247 referer="" error="" authtime="0" dnstime="419" cattime="988" avscantime="420448" fullreqtime="1291610" device="0" auth="0" ua="Massgate" exceptions="" category="116" reputation="trusted" categoryname="Games" sandbox="-" content-type="application/x-dosexec" virus="CXweb/ZAccess-A" engine="SAVI"


2017:12:14-20:39:07 e200utm httpproxy[5809]: id="0056" severity="info" sys="SecureWeb" sub="http" name="web request blocked, virus detected" action="block" method="GET" srcip="x.x.x.x" dstip="2.18.65.115" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_HttProContaInterNetwo (containing XXXXXXX)" filteraction="REF_HttCffDefauConteFilte (Default content filter action B)" size="3070" request="0xdb6bd600" url="uplaypc-s-ubisoft.cdn.ubi.com/.../0E0FA9CE2271D883FCA4F1C59998A167D0781247 referer="" error="" authtime="0" dnstime="446" cattime="813" avscantime="431026" fullreqtime="1030103" device="0" auth="0" ua="Massgate" exceptions="" category="116" reputation="trusted" categoryname="Games" sandbox="-" content-type="application/x-dosexec" virus="CXweb/ZAccess-A" engine="SAVI"


2017:12:14-20:39:09 e200utm httpproxy[5809]: id="0056" severity="info" sys="SecureWeb" sub="http" name="web request blocked, virus detected" action="block" method="GET" srcip="x.x.x.x" dstip="2.18.65.115" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_HttProContaInterNetwo (containing XXXXXXX)" filteraction="REF_HttCffDefauConteFilte (Default content filter action B)" size="3070" request="0xdb6bd600" url="uplaypc-s-ubisoft.cdn.ubi.com/.../0E0FA9CE2271D883FCA4F1C59998A167D0781247 referer="" error="" authtime="0" dnstime="197" cattime="299" avscantime="420695" fullreqtime="1269780" device="0" auth="0" ua="Massgate" exceptions="" category="116" reputation="trusted" categoryname="Games" sandbox="-" content-type="application/x-dosexec" virus="CXweb/ZAccess-A" engine="SAVI"


2017:12:14-20:39:10 e200utm httpproxy[5809]: id="0056" severity="info" sys="SecureWeb" sub="http" name="web request blocked, virus detected" action="block" method="GET" srcip="x.x.x.x" dstip="2.18.65.115" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_HttProContaInterNetwo (containing XXXXXXX)" filteraction="REF_HttCffDefauConteFilte (Default content filter action B)" size="3070" request="0xdb6bd600" url="uplaypc-s-ubisoft.cdn.ubi.com/.../0E0FA9CE2271D883FCA4F1C59998A167D0781247 referer="" error="" authtime="0" dnstime="425" cattime="924" avscantime="435453" fullreqtime="1316851" device="0" auth="0" ua="Massgate" exceptions="" category="116" reputation="trusted" categoryname="Games" sandbox="-" content-type="application/x-dosexec" virus="CXweb/ZAccess-A" engine="SAVI"

 

It would seem that the UTM has taken exception to the final part of the download and classified it as CXweb/ZAccess-A !! I would imagine this is a False Positive, but how do I prove / rectify this. Is my only option to create an exception?



This thread was automatically locked due to age.
  • I'm not a gamer, but I do trust Sandstorm.  I would be suspicious that the game being offered for free is actually a version modified by a hacker and is NOT directly from UBISoft.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I dont think Sandstorm is active with the Home UTM License.

     

    The free giveaway is legit: http://store.ubi.com/uk/assassin-s-creed--iv-black-flag-tm-/56c4948088a7e300458b46aa.html?ncid=22-4186---1-intlnk-36-54-Store_AC_blackflag_ubicom_EMEA_2407--1-1--0717-4----AC4BF_WC___Store_AC_blackflag_ubicom_EMEA_2407_ID46863

     

    and the url in question is part or UBISofts' Content Delivery Network. So if the content has been compromised there are potentially thousands of people who are infected; I am pretty sure other Anti Malware vendors would have detected it and consequently there would be other reports, which there are not currently.

     

  • Agreed, Cyrus - I didn't read your logs closely enough.  I note that all of the problems are with the SAVI engine.  You might consider moving to single-scan with the Avira engine, thus removing SAVI from the game for the time being.  They'll likely fix the pattern problem soon.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Can confirm. I got the same results running 9.506-2

    The AV scanning is flagging a false positive on coming from a legit Game seller Ubisoft.

    This is the Home version for my family so sandstorm isn't enabled.

    Sophos Home Prem AV beta scanned nd hasn't flagged anything on the PC after downloading so i'll trust the content on faith for now.

     

    I didn't want to create rules or leave a hole open forever so I jumped into:

    Web filtering - web protection - (look to the lower right) default content filter action - Antivirus tab - I just turned all AV off.

    Finished the tiny file (sub 1MB) then then turned AV scanning back on like the above steps.

    This is on a HOME network with fairly low risk and low security threat. Please keep in mind the above is not a best practice and represents a large hole in security while used.

  • Drew, did you try the idea in my post just above yours?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA