Operational Defect Database
BugZero found this defect 452 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
WatchGuard Technologies | kA16S000000BcZhSAK
False ThreatSync incidents created for APT Blocker clean file responses
Last update date:
3/27/2024
Affected products:
ThreatSync
WatchGuard Cloud
Affected releases:
All
ThreatSync
WatchGuard Cloud
Fixed releases:
All
Description:
Issue
ThreatSync might create an incident with a risk score of 6 based on APT Blocker scan result log messages, even though the scan result is reported as clean.To confirm if an APT Blocker incident in ThreatSync is a false detection: Search the Event logs in WatchGuard Cloud for this text: msg:APT* Locate the APT threat notified result that matches the time and MD5 value from the ThreatSync indicator.Review the Reason and Message fields for the APT scan results. 2023-03-01 08:13:10,8000000000000,"FWStatus, APT threat notified. Details='Policy Name: HTTPS-proxy.out-00 Reason: clean Message: APT safe object Task_UUID: sps12345678912345678912345678912345 MD5: 123456789123456789123456789123459 Source IP: 10.0.1.2 Source Port: 50710 Destination IP: 203.0.113.0 Destination Port: 443 Proxy Type: HTTP Proxy File Info: file='filename.exe' extracted from archive file='N/A' Host: hosstname.domain.com Path: /file', pri=4, proc_id=pxy, msg_id=0F01-0015",Event
Workaround/Solution
No workaround exists at this time. As a precaution, update all ThreatSync Firebox automation policies to apply to only indicators with a risk score of 7 or higher.
