SonicWall - Gateway Antivirus Alert:  Phish_PayPal (Trojan) blocked

Posted on 2010-11-28
Last Modified: 2012-05-10
I have a SonicWall installed on a small business network.  Today, I received the following alerts multiple times:

11/28/2010 16:22:19.944
Alert Security Services
Gateway Anti-Virus Alert: Phish_Paypal (Trojan) blocked
Source:, 80, X1           Destination:, 1109, X0  


11/28/2010 16:22:20.096
Alert Security Services
Gateway Anti-Virus Alert: Phish_Paypal (Trojan) blocked
Source:, 1107, X0                 Destination:, 80, X1    

I got multiple attempts from multiple IP addresses.  More than 20+ attempts in a short period.  I even got a TCP XMas Tree dropped Intrusion Prevention alert.

Most of these alerts came from the following IP addresses:

They were quite agressive but the SonicWall said that they were blocked.  Is there anything I should be worried about?  My log filled up quick and I got a ton of email notifications.

I did antivirus and spyware scans on the PCs but they came up negative.  All this occurred when I was upgrading the Norton Antivirus on some computers and upgrading some Dell support software.  Also, when I tried to update the Norton Internet Security 2011 with the LiveUpdate, one of the many patches failed to install.  It was a patch for anti-phising.

Any advice would be appreciated.  Thanks in advance.
Question by:EE_User12
  • 4
  • 3
LVL 33

Expert Comment

ID: 34227203
you need to look more closely at  appears the traffic was trying to come into that internal ip and going out from that ip.  if the alerts were of type ingress, then i'd say not to be concerned.  the sonicwall did its job and blocked the attacks.  however, the alerts indicating an internal host would make me concerned.

is the ip of x0 on the sonicwall?

Author Comment

ID: 34227820
It is the address of one of the computers on the network.  I believe x0 is the LAN interface where I have a switch connected to the SonicWall and X1 is the WAN interface.  I'm actually using a different more unique address than the 192.168.1.x scheme.  I'm just using this as an example.  All the other addresses are valid though.  The attack is also not specific to one computer.  I may have 2 or 3 other computers giving out the same message but they are all functioning fine.  Most of the troubled computers were the ones I upgraded.  I'm not sure if their installation files were corrupted.  

The attack seems to come in pairs.  Like a remote user trying to call or install something and then the internal computer tries to do something.  The SonicWall says block but the attacks this afternoon were very persistent.  I have scanned the internal computers thoroughly with basic antivirus (Norton) and antispyware (Spybot S&D)  tools but have not found anything.  I'm not sure if I have to Combofix this.  Also this attack only occurs when connected to the Internet.  When I disconnect the WAN from the Internet, everything goes quiet.

I'm not sure if something is hiding internally or if someone is trying to break in.  I do once in a while get scans hitting on my SonicWall from the outside but I just ignore them.

I removed all the Dell software and may replace or reinstall the Norton software since the antiphising patch will not install.  Everything has been stable and fine for months until today.
LVL 33

Assisted Solution

digitap earned 150 total points
ID: 34227886
yes...on the sonicwall, X0 is typically the LAN zone and X1 is the WAN zone.  reviewing the public IP addresses, i see several of those public IP addresses appear as AKAMAITECHNOLOGIES.COM in a reverse DNS.  the last 209.18.43.x don't resolve to anything, but most of the 184.85.253.x resolve the domain i specified above.  to quote,

"Akamai provides many IT services like application hosting, content delivery, and streaming media services, but they are probably best known for their massive distributed computer infrastructure. In lay terms, they have upwards of 15,000+ servers positioned around the globe providing content (software downloads, etc) and media (like QuickTime, RealAudio, or Windows Media
files) for their customers (the likes of Apple, GM, MTV, Department of Defense, IBM, Microsoft,, Yahoo!, Adobe...)."


At most, i'd perform a malwarebytes, but it seems you got it.  combofix seems a little aggressive, and i've stopped using spybot quite some time ago.

based on what you're seeing, what you've found in your scans and that the sonicwall is blocking things, i think you don't have anything to worry about.  seems the sonicwall may be interpreting the updates.  you may try to exclude the Phish_Paypal "filter" and try an update on one of the boxes where updates are failing.  if it succeeds, then you've got your answer.
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  


Author Comment

ID: 34232611
I am beginning to think this may be a false positive.  I am able to replicate the SonicWall Phish_PayPal alerts every time I run the LiveUpdate in Norton.  It appears all my PCs with Norton have been affected.  For some reason, they cannot install an antiphising patch.

Error message:

Norton 2011 Web Protection Definitions Updates Antiphising to verify authentic websites failed to install.

All scans with Malwarebytes and SpyBotSD come up negative.  After removing the Norton, things went quiet.  Even after a fresh install of Norton, the patch still fails to install.  I have one test computer running Avast and it has no problems.  I'm assuming this is an issue between the Norton LiveUpdate and the SonicWall.  I had no problems with Norton until they recently released NIS 2011.  I have another group of computers that I take care of that are not protected by a SonicWall but their updates have been able to install successfully on Norton 2011.
LVL 33

Accepted Solution

digitap earned 150 total points
ID: 34232668
yes, I agree with you.  i believe it to be a sonicwall issue.  their signatures for Phish_PayPal are generating this and probably need to be updated...perhaps that has already happened.  you might check when the last time your sonicwall definitions were updated or even the firmware you are currently running on.  you could probably disable the filter for this item safely until a fix has be released by sonicwall...possibly even with Norton in the way they distributed updates.

Author Closing Comment

ID: 34273684
Digitap, thanks again for your help.

If any readers have a similar problem, look for automated processes.  When digitap mentioned Akamai that rang a bell in my head.  Most of these automated processes go through this service.  In my situation, the SonicWall was creating a false positive when the NIS 2011 was looking for updates.  For some reason the anti-phising update failed to install.  It might be related to the SpybotS&D or a bad upgrade on the NIS 2011.  I had varying results with my fix.  Some computers eventually were able to install the anti-phising update after I did an uninstall of NIS 2011, updated the SpybotS&D, followed with a SpybotS&D immunization, and then reinstalled the NIS 2011.  It might or might not be related to the immunize process of the SpybotS&D not allowing the anti-phising update to be installed.  Disabling any running programs during install made no difference.  If the update continues to fail, either disable the LiveUpdate (and do it manually) or change to another antivirus/firewall program like Avast.  I have some computers on Avast and they're doing great but I think Avast has a weak antispam feature especially for mail.  I also recommend that you update your signatures and firmware for the SonicWall like digitap mentioned.
LVL 33

Expert Comment

ID: 34273860
thanks for the points and the detailed information.

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
WAN Link comparsion 3 35
Factory Reset of Juniper SSG20 2 40
Behavior-based and anomalies detection for Trend Micro 2 26
Fraud Email 22 66
Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
Ransomware continues to grow in reach and sophistication, putting data everywhere at risk. Learn how to avoid being caught in its sinister clutches with these 11 key tips.
Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

680 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question