November 15, 2010

Trend Micro WFBS UPX Packed Updates

I had a client with a myriad of issues related to some infected machines on the network. While digging through the firewall logs (SonicWALL TZ-170 or 190 I believe), I found this entry:

Typically we wouldn't want to see packed executables attempting to be retrieved from the WAN, but these occured at regular 15 minute intervals and the source IP was owned by Trend Micro. Digging in the WFBS console I found:

A whole series of failed updates matching up to the UPX packed executables being blocked in the SonicWALL.

Anyone have experience with UPX compression? Is this standard practice for AV definitions to come as a packed executable? Or is the burden on SonicWALL here to get a little more detailed?

1 comment:

Red Flags and the Value of Experience

One of the things I hear often said, and something I subscribe to as well, is the idea that a lot of technical knowledge in the world of IT ...