Solved: Re: Anti-Bot logs of Kuaizip.TC.gp

Jeff_Gao · ‎2019-02-13

Dear

FW:15600

Version:R77.30

Hotfix:Take_292

There are too many such logs:

Kuaizip is a compression software,similar to WinRAR .How to inactive anti-bot detect Kuaizip.TC.gp and cancel such log.I don't think this kind of log is of any use.

_Val_ · ‎2019-02-13

However, if you insist on making your networks vulnerable for backdoors and adware, there is a way.

Open your policy, to to Threat Prevention and add exception with Anti-Bot Blade. Lookup the name of malware you want to ignore (once more, not a good idea), add it to exception and set action to Inactive.

Final warning: by doing so, you are putting your company at risk!

View solution in original post

_Val_ · ‎2019-02-13

"Free archive software" is trying to communicate with known C&C and triggers DNS trap protection.

Are you confident there is nothing wrong here, still?

Maik · ‎2019-02-13

Wanted to ask the same as I did not hear anything about "Kuaizip". A quick lookup only returned malicious intends and suggestions how it can be removed. Of course my guess can be wrong here.

Jeff_Gao · ‎2019-02-14

Valeri Loukine is right.As far as i know,kuaizip is a compression software,but when you install the software,many bundled software will be downloaded and installed,include individual virus software，these softwares are called Rogue software(流氓软件).

When we install kuaizip software,these rogue software will be install and connected to server "i.kpzip.com" to download configuration files ,then rogue software will download others "malicious software" .

Base on the above results,there are many kuaizip.TC.gp logs in smartlog.I think kuaizip shoud not connect to internet,so ，to solve this problem,I will add exception protection to prevent kuaizip.TC.gp and no log.

Jeff_Gao · ‎2019-02-13

It just only a compression software,similar to WinRAR . I think that because this software communicate with server,So it was detected that it might be C2 behavior.

I want to exceptions this protection,how to exceptions this protection in tp blade?

_Val_ · ‎2019-02-13

You seem to miss the point. That software is already classified as adware and backdoor tool by multiple vendors. ask yourself, why free archive software communicates to Internet? How it is related to its function?

_Val_ · ‎2019-02-13

However, if you insist on making your networks vulnerable for backdoors and adware, there is a way.

Open your policy, to to Threat Prevention and add exception with Anti-Bot Blade. Lookup the name of malware you want to ignore (once more, not a good idea), add it to exception and set action to Inactive.

Final warning: by doing so, you are putting your company at risk!

Jeff_Gao · ‎2019-02-13

OK,I got it ,thanks very much.

Jeff_Gao · ‎2019-02-14

Dear Valeri

I have set exception refer to your screenshot and action is prevent,as follow:

but I found that logs still show detect:

Is my configuration incorrect?

_Val_ · ‎2019-02-15

Your default action is prevent already. Also, exception rule should be ABOVE general one. I also suspect your profile is set for detect on Low Confidence.

Jeff_Gao · ‎2019-02-16

Yes，It is detect on low confidence.But I think the protections should be prevent,because I have set exception of kuaizip.TC.gp.I think that exception rule level is higer than general one.

zero_sinte · ‎2019-05-31

is it solved?

Jeff_Gao · ‎2019-06-05

It not be solved,tac said that R77.30 is not support exception action is prevent or inactive,and the firewall and sms must be R80.10 and above.I've given up to exception Kuaizip.TC.gp.

Are you a member of CheckMates?

Anti-Bot logs of Kuaizip.TC.gp