QNAP NAS Community Forum

Running a TS-459 with firmware 4.2.6, malware remover 3.5.2


Have the malware app installed (does weekly scans) and this morning got a random notification of:

"[Malware Remover] Removed high-risk malware. Update passwords for email account and QNAP ID."

"[Malware Remover] Removed high-risk malware. Restart NAS and update all apps in 'App Center' > 'My Apps' > 'Install Updates'."

"[Malware Remover] Removed high-risk malware. Change all user account passwords immediately, update QTS and all applications to the latest versions, and restart the NAS."


Doing some searching it sounds like there is no way to pull exactly what was flagged (or am I missing some information?). Is there any update on how to get this information, if there was indeed legit malware on our NAS it would be nice to know what exactly it was so we can determine the impact/damage to our network and the data that is housed on the NAS (and look for any other kind of IOC) or if this was a false positive that we can safely ignore.

This NAS is not exposed directly to the internet (no port forwards, but it has free will to reach out to the internet for updates/notifications and whatnot)

I have this to my ts212 fully updated.... and is not open to internet...

You got the same notification this morning also?

No, just in minutes. I have other two and nothing to report. Only my TS212....

This never happed, and in my ts212 i only have miminal apps

i have the same logs... did you find anything for this reason. What is your model and firmware?

Strange this "[Malware Remover] Removed high-risk malware. Update passwords for email account and QNAP ID.

I will disable cloudlink

homeuser2019 wrote: ↑Fri Aug 30, 2019 4:02 am Doing some searching it sounds like there is no way to pull exactly what was flagged (or am I missing some information?). Is there any update on how to get this information, if there was indeed legit malware on our NAS it would be nice to know what exactly it was so we can determine the impact/damage to our network and the data that is housed on the NAS (and look for any other kind of IOC) or if this was a false positive that we can safely ignore.

QNAP periodically code their Malware Remover to detail the infection found, then some time later, they alter it again and infections won't be detailed. It seems they can't make up their mind whether to let the user know about specific infected files or not. It's a little frustrating and makes it difficult to help people.

Updated my post with the hardware and firmware version

The OneCD that is a little worrisome for those with these devices in an enterprise network where my sysadmin guys cant give my security team and kind of information based on these notifications.

homeuser2019 wrote: ↑Fri Aug 30, 2019 5:19 am ... that is a little worrisome for those with these devices in an enterprise network where my sysadmin guys cant give my security team and kind of information due based on these notifications

Agree, and this has been raised with QNAP on several previous occasions.

You can always try submitting a help-desk ticket and make the point again.

OneCD wrote: ↑Fri Aug 30, 2019 5:16 am

homeuser2019 wrote: ↑Fri Aug 30, 2019 4:02 am Doing some searching it sounds like there is no way to pull exactly what was flagged (or am I missing some information?). Is there any update on how to get this information, if there was indeed legit malware on our NAS it would be nice to know what exactly it was so we can determine the impact/damage to our network and the data that is housed on the NAS (and look for any other kind of IOC) or if this was a false positive that we can safely ignore.

QNAP periodically code their Malware Remover to detail the infection found, then some time later, they alter it again and infections won't be detailed. It seems they can't make up their mind whether to let the user know about specific infected files or not. It's a little frustrating and makes it quite difficult to help people.

My TS212 is fresh configuration... and has miminal application installed. I don't have any multimedia installed... so can't see the reason unless the cloudlink

I suspecto it was cloud backup. I updated that and rebooted and again detected malware and ask to update again...

Same message here. In my case:

My TS-673 has a single port forwarded (a nextcloud random port, virtualized in a Ubuntu server VM, so sandboxed). I only access it from VPN. No vectors to attack except for auto updates.

I have not downloaded or used it in the last days. At all. Two days ago logs were clean.

Some hours ago (20:46h GMT+1) I get malware remover waning. this is strange, since MR is scheduled to run at 3:00h, so I'm fairly sure it run after some kind of update (definitions?) automatically.

I tried to run the malware remover again, it always "finds" malware, so it is not removing anything.

My only two outdated apps were hybrid backup HBS3 and cloudlink (which was disabled and the app stopped). After updating both, new malware scans report no malware... So, I ran the scan 3 times in a row, all of them finds malware, then update apps and now there is no malware... I did NOT reboot.

All this makes me think that is a false positive, probably an error at QNAP's definitions side. I think it will disappear once they realize they facked it up and update malware definitions.

I just had a Malware detected warning @ 09:00 on TS-453A running 4.3.6.1040(20190820), which I found odd since it is also scheduled to scan every day at 03:00, and it is firewalled and hidden behind a VPN from Internet Access (no port forwarding,etc)

I reached out to tech support who didn't confirm it was a false positive, but said 4.3.6.1040(20190820) was full of problems and had been revoked from the website, so download 4.3.6.0993.

I hope that is all it was as I would be very surprised my NAS has been compromised given the level of security it sits behind.

Luke