Malware Detected Coming From PacketShapers IP address

book

Article ID: 168916

calendar_today

Updated On:

Products

PacketShaper S-Series PacketShaper

Issue/Introduction

You may have received alerts from a Malware Scanning Tool indicating that Malware is coming from your PacketShaper to the following addresses.

     199.116.169.244
     103.246.38.201
     103.246.38.203
     8.28.16.201
     8.28.16.203
     199.116.169.245
     199.19.249.201
     199.19.249.203

The Traffic reported will look similar to the request below.

Using Channel GET
channel: GET /2/R/329d199450ed14ca47b7b4fefb845d0b/BLUSHPR1/1/POST/http/netdhc.com/80/img/1129c/thgr.asp?mac=E0CA941E3522&ver=105war&os=Win7 HTTP/1.1::~~Accept: */*::~~Accept-Language: en-us::~~User-Agent: PacketShaper::~~Host: sp.cwfservice.net:80::~~X-BCWF-Dest-IP: 61.197.135.181::~~X-Orig-User-Agent: MyApp::~~X-Application: 1::~~X-Orig-Content-Type: application/x-www-form-urlencoded::~~X-Orig-Content-Length: 0::~~::~~

 

Cause

The Addresses listed are the Bluecoat WebPulse Service Points. If you use the WebPulse service the PacketShaper will reach out to these IP Addresses periodically. 

This reported Malware is the PacketShaper reaching out to the WebPulse Service Points. This is not Malware.

 

Resolution

Please treat this as a false positive. You may consider adding the WebPulse Service Point addresses to a whitelist perhaps.