Malware alert help

Don't miss a thing. Post your questions and discussion about other uncategorized NAS features here.
homeuser2019
New here
Posts: 5
Joined: Thu Aug 29, 2019 10:41 pm

Malware alert help

Post by homeuser2019 » Fri Aug 30, 2019 4:02 am

Running a TS-459 with firmware 4.2.6, malware remover 3.5.2


Have the malware app installed (does weekly scans) and this morning got a random notification of:

"[Malware Remover] Removed high-risk malware. Update passwords for email account and QNAP ID."

"[Malware Remover] Removed high-risk malware. Restart NAS and update all apps in 'App Center' > 'My Apps' > 'Install Updates'."

"[Malware Remover] Removed high-risk malware. Change all user account passwords immediately, update QTS and all applications to the latest versions, and restart the NAS."


Doing some searching it sounds like there is no way to pull exactly what was flagged (or am I missing some information?). Is there any update on how to get this information, if there was indeed legit malware on our NAS it would be nice to know what exactly it was so we can determine the impact/damage to our network and the data that is housed on the NAS (and look for any other kind of IOC) or if this was a false positive that we can safely ignore.

This NAS is not exposed directly to the internet (no port forwards, but it has free will to reach out to the internet for updates/notifications and whatnot)
Last edited by homeuser2019 on Fri Aug 30, 2019 5:16 am, edited 3 times in total.

User avatar
AcerTravel
Know my way around
Posts: 191
Joined: Wed Jul 20, 2011 4:03 pm
Location: Going From Mars To Saturn

Re: Malware alert help

Post by AcerTravel » Fri Aug 30, 2019 5:00 am

I have this to my ts212 fully updated.... and is not open to internet...
TS-212
TS-453PRO 8GB + UX-500P
TS-453A 8GB + UX-800P

homeuser2019
New here
Posts: 5
Joined: Thu Aug 29, 2019 10:41 pm

Re: Malware alert help

Post by homeuser2019 » Fri Aug 30, 2019 5:04 am

You got the same notification this morning also?

User avatar
AcerTravel
Know my way around
Posts: 191
Joined: Wed Jul 20, 2011 4:03 pm
Location: Going From Mars To Saturn

Re: Malware alert help

Post by AcerTravel » Fri Aug 30, 2019 5:06 am

No, just in minutes. I have other two and nothing to report. Only my TS212....
TS-212
TS-453PRO 8GB + UX-500P
TS-453A 8GB + UX-800P

User avatar
AcerTravel
Know my way around
Posts: 191
Joined: Wed Jul 20, 2011 4:03 pm
Location: Going From Mars To Saturn

Re: Malware alert help

Post by AcerTravel » Fri Aug 30, 2019 5:06 am

This never happed, and in my ts212 i only have miminal apps
TS-212
TS-453PRO 8GB + UX-500P
TS-453A 8GB + UX-800P

User avatar
AcerTravel
Know my way around
Posts: 191
Joined: Wed Jul 20, 2011 4:03 pm
Location: Going From Mars To Saturn

Re: Malware alert help

Post by AcerTravel » Fri Aug 30, 2019 5:07 am

i have the same logs... did you find anything for this reason. What is your model and firmware?
TS-212
TS-453PRO 8GB + UX-500P
TS-453A 8GB + UX-800P

User avatar
AcerTravel
Know my way around
Posts: 191
Joined: Wed Jul 20, 2011 4:03 pm
Location: Going From Mars To Saturn

Re: Malware alert help

Post by AcerTravel » Fri Aug 30, 2019 5:11 am

Strange this "[Malware Remover] Removed high-risk malware. Update passwords for email account and QNAP ID.
TS-212
TS-453PRO 8GB + UX-500P
TS-453A 8GB + UX-800P

User avatar
AcerTravel
Know my way around
Posts: 191
Joined: Wed Jul 20, 2011 4:03 pm
Location: Going From Mars To Saturn

Re: Malware alert help

Post by AcerTravel » Fri Aug 30, 2019 5:14 am

I will disable cloudlink
TS-212
TS-453PRO 8GB + UX-500P
TS-453A 8GB + UX-800P

User avatar
OneCD
Ask me anything
Posts: 6245
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: Malware alert help

Post by OneCD » Fri Aug 30, 2019 5:16 am

homeuser2019 wrote:
Fri Aug 30, 2019 4:02 am
Doing some searching it sounds like there is no way to pull exactly what was flagged (or am I missing some information?). Is there any update on how to get this information, if there was indeed legit malware on our NAS it would be nice to know what exactly it was so we can determine the impact/damage to our network and the data that is housed on the NAS (and look for any other kind of IOC) or if this was a false positive that we can safely ignore.
QNAP periodically code their Malware Remover to detail the infection found, then some time later, they alter it again and infections won't be detailed. It seems they can't make up their mind whether to let the user know about specific infected files or not. It's a little frustrating and makes it difficult to help people. :?

production NAS: TS-569 Pro with Debian 9.9 'Stretch' (power on/off times are < 1 minute)
backup NAS: TS-559 Pro+ with QTS 4.2.6 #20190730

one.cd.only@gmail.com

Image Image Image Image

homeuser2019
New here
Posts: 5
Joined: Thu Aug 29, 2019 10:41 pm

Re: Malware alert help

Post by homeuser2019 » Fri Aug 30, 2019 5:19 am

Updated my post with the hardware and firmware version

The OneCD that is a little worrisome for those with these devices in an enterprise network where my sysadmin guys cant give my security team and kind of information based on these notifications.

User avatar
OneCD
Ask me anything
Posts: 6245
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: Malware alert help

Post by OneCD » Fri Aug 30, 2019 5:23 am

homeuser2019 wrote:
Fri Aug 30, 2019 5:19 am
... that is a little worrisome for those with these devices in an enterprise network where my sysadmin guys cant give my security team and kind of information due based on these notifications
Agree, and this has been raised with QNAP on several previous occasions.

You can always try submitting a help-desk ticket and make the point again. :wink:

production NAS: TS-569 Pro with Debian 9.9 'Stretch' (power on/off times are < 1 minute)
backup NAS: TS-559 Pro+ with QTS 4.2.6 #20190730

one.cd.only@gmail.com

Image Image Image Image

User avatar
AcerTravel
Know my way around
Posts: 191
Joined: Wed Jul 20, 2011 4:03 pm
Location: Going From Mars To Saturn

Re: Malware alert help

Post by AcerTravel » Fri Aug 30, 2019 5:25 am

OneCD wrote:
Fri Aug 30, 2019 5:16 am
homeuser2019 wrote:
Fri Aug 30, 2019 4:02 am
Doing some searching it sounds like there is no way to pull exactly what was flagged (or am I missing some information?). Is there any update on how to get this information, if there was indeed legit malware on our NAS it would be nice to know what exactly it was so we can determine the impact/damage to our network and the data that is housed on the NAS (and look for any other kind of IOC) or if this was a false positive that we can safely ignore.
QNAP periodically code their Malware Remover to detail the infection found, then some time later, they alter it again and infections won't be detailed. It seems they can't make up their mind whether to let the user know about specific infected files or not. It's a little frustrating and makes it quite difficult to help people. :?
My TS212 is fresh configuration... and has miminal application installed. I don't have any multimedia installed... so can't see the reason unless the cloudlink
TS-212
TS-453PRO 8GB + UX-500P
TS-453A 8GB + UX-800P

User avatar
AcerTravel
Know my way around
Posts: 191
Joined: Wed Jul 20, 2011 4:03 pm
Location: Going From Mars To Saturn

Re: Malware alert help

Post by AcerTravel » Fri Aug 30, 2019 5:26 am

I suspecto it was cloud backup. I updated that and rebooted and again detected malware and ask to update again...
TS-212
TS-453PRO 8GB + UX-500P
TS-453A 8GB + UX-800P

Vortax
Starting out
Posts: 27
Joined: Fri Aug 03, 2018 5:11 pm

Re: Malware alert help

Post by Vortax » Fri Aug 30, 2019 8:10 am

Same message here. In my case:

My TS-673 has a single port forwarded (a nextcloud random port, virtualized in a Ubuntu server VM, so sandboxed). I only access it from VPN. No vectors to attack except for auto updates.

I have not downloaded or used it in the last days. At all. Two days ago logs were clean.

Some hours ago (20:46h GMT+1) I get malware remover waning. this is strange, since MR is scheduled to run at 3:00h, so I'm fairly sure it run after some kind of update (definitions?) automatically.

I tried to run the malware remover again, it always "finds" malware, so it is not removing anything.

My only two outdated apps were hybrid backup HBS3 and cloudlink (which was disabled and the app stopped). After updating both, new malware scans report no malware... So, I ran the scan 3 times in a row, all of them finds malware, then update apps and now there is no malware... I did NOT reboot.

All this makes me think that is a false positive, probably an error at QNAP's definitions side. I think it will disappear once they realize they facked it up and update malware definitions.

eLuke455
First post
Posts: 1
Joined: Sun Jun 17, 2018 12:53 pm

Re: Malware alert help

Post by eLuke455 » Fri Aug 30, 2019 10:22 am

I just had a Malware detected warning @ 09:00 on TS-453A running 4.3.6.1040(20190820), which I found odd since it is also scheduled to scan every day at 03:00, and it is firewalled and hidden behind a VPN from Internet Access (no port forwarding,etc)

I reached out to tech support who didn't confirm it was a false positive, but said 4.3.6.1040(20190820) was full of problems and had been revoked from the website, so download 4.3.6.0993.

I hope that is all it was as I would be very surprised my NAS has been compromised given the level of security it sits behind.

Luke

Post Reply

Return to “Miscellaneous”