Malware alert help

KarlInOz · Post by **KarlInOz** » Fri Aug 30, 2019 10:24 am

I had the same notification in my logs yesterday morning. I have submitted a ticket to QNAP asking where to get further information.

I have noticed something else interesting in the logs that has been happening since the day before I had the malware infection notice: I have the scanner set for daily at 3:00AM and up to the 28th August the logs show e.g:
Severity Level Date Time Users Source IP Application Category Content
Information 2019/08/21 03:01:00 System 127.0.0.1 Malware Remover General [Malware Remover] Scan completed.
Information 2019/08/21 03:00:03 System 127.0.0.1 Malware Remover General [Malware Remover] Started scanning.

But on 28 August I had an additional series of entries at 23:05 -
Severity Level Date Time Users Source IP Application Category Content
Information 2019/08/28 23:06:25 System 127.0.0.1 Malware Remover General [Malware Remover] Scan completed.
Information 2019/08/28 23:05:20 System 127.0.0.1 Malware Remover Malware Removal [Malware Remover] System started running malware scan.
Information 2019/08/28 23:05:20 System 127.0.0.1 Malware Remover General [Malware Remover] Started scanning.

I have no idea where this 23:00 scheduled scan comes from as I had not changed the schedule. Then the next entries are for the next 3:00AM scan -
Severity Level Date Time Users Source IP Application Category Content
Information 2019/08/29 03:00:55 System 127.0.0.1 Malware Remover General [Malware Remover] Scan completed.
Information 2019/08/29 03:00:02 System 127.0.0.1 Malware Remover General [Malware Remover] Started scanning.

and then the next 23:00 scan shows the infection -
Severity Level Date Time Users Source IP Application Category Content
Information 2019/08/29 23:06:49 System 127.0.0.1 Malware Remover General [Malware Remover] Scan completed.
Warning 2019/08/29 23:05:39 System 127.0.0.1 Malware Remover Malware Removal [Malware Remover] Removed high-risk malware. Change all user account passwords immediately, update QTS and all applications to the latest versions, and restart the NAS.
Warning 2019/08/29 23:05:39 System 127.0.0.1 Malware Remover Malware Removal [Malware Remover] Removed high-risk malware. Restart NAS and update all apps in 'App Center' > 'My Apps' > 'Install Updates'.
Information 2019/08/29 23:05:30 System 127.0.0.1 Malware Remover General [Malware Remover] Started scanning.
Information 2019/08/29 23:05:30 System 127.0.0.1 Malware Remover Malware Removal [Malware Remover] System started running malware scan.

It's very odd that this 23:00 scan started coming out of nowhere.

forbrich · Post by **forbrich** » Fri Aug 30, 2019 11:08 am

Adding myself to the list of those who received this message.

As a sysadmin, it is quite upsetting to read that files were removed without being advised which one(s). The log needs to include that info, at the least for troubleshooting.

/Hans

peelos · Post by **peelos** » Fri Aug 30, 2019 12:43 pm

got exactly the same error message on TVS 1282 running 4.3.6.0979 also firewalled and hidden behind a VPN from Internet Access (no port forwarding,etc)

what a useless error message - makes one paranoid without giving any detailed information to verify if it is a false positive

KarlInOz · Post by **KarlInOz** » Fri Aug 30, 2019 1:17 pm

So I just got a reply from QNAP support saying "This function is currently not supported yet." - reporting on what files were affected. They said they have added my voice to a feature request but that it can take a long time for feature requests to become reality. I informed them that it was a feature on 11 June when I did receive a notification from the tool of what files were affected.
They gave no word on whether last night's message was a false positive.

Proggie · Post by **Proggie** » Fri Aug 30, 2019 2:33 pm

I got the same messages also during a check that is not on my regular scheduled time. What's even stranger is that I rebooted, changed my passwords, updated a couple apps (OS was already latest 4.3.3) and a scan completed successfully and then an hour later after the original warnings I got the exact same warnings again! WTF?

Josvls · Post by **Josvls** » Fri Aug 30, 2019 3:53 pm

Same here. Maybe a faulty antimalware signature?

jelv1 · Post by **jelv1** » Fri Aug 30, 2019 4:23 pm

I keep getting the same three messages in the log (three times so far). Each time when I go to the application centre there is a different application needing updating. This morning it is Cloud Backup Sync.

Current version is V2.1.670 (installation date 2019/08/29). It wants to update to V2.1.671 which was apparently released 2019/07/16. Looking at the change log there is no mention of version 2.1.670. But 671 says "Added support for code signing".

My guess is that they have made a mess of code signing for the applications and we are going to have to work through updating them until they get all the signing right

domuhe · Post by **domuhe** » Fri Aug 30, 2019 5:26 pm

Same here on a QNAP behind firewall and no access from the Internet.

Jägerschnitzel · Post by **Jägerschnitzel** » Fri Aug 30, 2019 6:37 pm

As per the QNAP support it's a false positive. deinstalling and Reinstalling malware remover should do the trick.

QNAPs response to me was in German thus I translated it to the above

...

catogtp · Post by **catogtp** » Fri Aug 30, 2019 7:24 pm

Had the alerts yesterday on a TS-439 Pro II+ Firmware: 4.2.6(20190629)
I did a firmware update to 4.2.6(20190730) and app update and it sent the three alerts two more times nearly back to back. I woke up this morning and had the three alerts again from the scheduled scan. There was also another cloud backup sync update waiting for me as well.
Uninstalled and reinstalled the Malware Remover. Hopefully that does the trick.

dr_jon · Post by **dr_jon** » Fri Aug 30, 2019 9:33 pm

Me too, TS419P+ NAS with no Internet connection, put in a ticket yesterday, was up to 2am with this...

(The TS453A and TS253A are still okay, but don't have Cloud Backup installed.)

tjakobi · Post by **tjakobi** » Fri Aug 30, 2019 10:04 pm

Same here, TS219p, TVS682, both behind VPN, both don't even have cloud link installed.

Got the notice at a different time than the usual scan during the night. Rebooting and updating does not seem to help, after each reboot the message comes up again.

Vortax · Post by **Vortax** » Fri Aug 30, 2019 10:14 pm

tjakobi wrote: ↑Fri Aug 30, 2019 10:04 pm Same here, TS219p, TVS682, both behind VPN, both don't even have cloud link installed.

Got the notice at a different time than the usual scan during the night. Rebooting and updating does not seem to help, after each reboot the message comes up again.

Someone before said that QNAP TS recommend uninstalling and reinstalling malware remover.

Can you try to uninstall, reboot, and reinstall to see if warning disappear?

Maba · Post by **Maba** » Fri Aug 30, 2019 10:55 pm

same here too on ts 659 pro II ....
this nas was on internet (website) two years ago ... now because of EOL it cannot be accessed by internet (only lan / no vpn ).

After a reboot, message disappear.

I hope it's false positive !

Josvls · Post by **Josvls** » Fri Aug 30, 2019 11:00 pm

Jägerschnitzel wrote:As per the QNAP support it's a false positive. deinstalling and Reinstalling malware remover should do the trick.

QNAPs response to me was in German thus I translated it to the above ...

I just tried it. Doesn’t work.

QNAP NAS Community Forum

Malware alert help

Re: Malware alert help

Re: Malware alert help

Re: Malware alert help

Re: Malware alert help

Re: Malware alert help

Re: Malware alert help

Re: Malware alert help

Re: Malware alert help

Re: Malware alert help

Re: Malware alert help

Re: Malware alert help

Re: Malware alert help

Re: Malware alert help

Re: Malware alert help

Re: Malware alert help