Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.
User profile for user: repacc
repacc Author
User level: Level1 8 points
I have several event from our security appliance like "17.253.123.204:80 U0 - rumow2-vip-bx-004.aaplimg.com - 192-168*-*-- Gateway Anti-Virus Alert: Ransom.DC (Trojan) blocked." As far as I understand it's an Apple owned IP range and DNS name. Could someone advice, which system process can initiate connection with this target IP/host. I have scanned my laptop (including iCloud Drive folder) by different anti-virus tools, but nothing suspicious was discovered.
MacBook Pro 15", macOS 10.14
Posted on Mar 11, 2019 8:20 AM
Similar questions
- My MacBook Pro has been compromised ,what’s next.?I cannot delete a pop up that indicates someone is trying to access my computer from another location. Apple support gave me a link. But, it’s confusing on what I am required to do. Any possible remedies, someone? Thanks ACTUALLY, ALL OF MY APPLE DEVICES…iPhone,IPad, and Pro… 94511
- Macbook pro 2012 Catalina is infected by scam virus with fake apple # need help Please!How to fix malware on macbook pro 2012 Catalina os or reset to manufacture settings just got it few days ago. Thank you! 6064
- Trojan on our Mac AirThere are 2 phone numbers and a live call from an Indian operator by the name Sam, pretending to solve our Trojan virus working from Apple located in California.we cannot operate our laptop because their Trojan information is flushing as soon as we sign into our main screen.what can we do?[Edited by Moderator] 4385
10 replies
Loading page content
Page content loaded
User profile for user: repacc
repacc Author
User level: Level1 8 points
Apr 1, 2019 9:43 AM in response to etresoft
Ahahah!
Good option, but we are not ready for such kind of changes)
Link
User profile for user: Grant Bennet-Alder
Grant Bennet-Alder
User level: Level10 130,981 points
Mar 11, 2019 8:43 AM in response to repacc
IP addresses in the range 192.168.xxx.yyy are strictly local IP address used on your private network ONLY -- they are not Routable. They are part of the Internet numbering scheme, and are NOT controlled by Apple.
https://en.wikipedia.org/wiki/Private_network
These are the addresses passed put by your Router using DHCP, to uniquely identify local devices. Your Router acts as your agent on the Internet, shielding you from being directly accessible from the Internet by using Network Address Translation NAT.
No one can tell whether your Mac is infected from outside (it is pretty hard to tell when you have complete access form INSIDE your Mac.) And no Trojan Horse or similar malware can be Installed unless/until you allow it by supplying your Admin password.
Link
User profile for user: Grant Bennet-Alder
Grant Bennet-Alder
User level: Level10 130,981 points
Mar 11, 2019 2:41 PM in response to repacc
Since 10.11 El Capitan, the Mac is not particularly susceptible to spontaneous attack by Viruses. You can download viruses to your Mac all day long if you like, they will not cause any damage.
The Mac works to make certain that dangerous software does not get in a position to be come executable software. It does not need to scan every file looking for suspicious patterns. The system directories are locked, and nothing there can be modified, and nothing can be can be installed and qualified to be run without your approval.
Of course, if you are not careful and read where your software is downloaded from, your next flash player update may install Malware instead of flash player. No software can replace your vigilance -- they ARE out to get you!
Link
User profile for user: aaplCore
aaplCore
User level: Level3 589 points
Mar 11, 2019 3:22 PM in response to repacc
17.253.123.204 and .aaplimg.com belongs to apple-owns (CDN) content delivery network services.
CDNs is used to help improve the network performance during heavy traffic, by cloning and putting content on servers that are faster and physically closer to requesting user location, reducing download times.
Apple not always sending thedownload requests through one of the third-party CDN providers it uses, like Akamai or Level 3. Instead, the traffic is going to Apple’s own infrastructure .
Apple CDNs is huge, not just for OS X downloads but also for music, video, and app downloads, many mac OS apps may requesting content from CDN.
So, it seems that it was false-positive reaction from your Gateway Anti-Virus appliance.
Not sufficient information for a more detailed answer.
It was a Sonic Wall security appliance?
You need to check Appliance log files. You will find internal ip address of computer generating those requests, after, you can look at device for deeper investigation.
Link
User profile for user: repacc
repacc Author
User level: Level1 8 points
Apr 1, 2019 8:24 AM in response to aaplCore
Thanks for your response. Yes, it's a Sonicwall.
I've already checked logs and know which exactly host in my local network initiates these connections.
Also using nettop utility I discovered that it's an "trustd" process on my laptop. But as far as I understand it's a legitimate process that checks the certificates chain.
Do you have any suggestions what am I suppose to do next?)
Link
User profile for user: aaplCore
aaplCore
User level: Level3 589 points
Apr 1, 2019 10:33 AM in response to repacc
The threat Ransom.DC (Trojan) that Sonic tells you, is very general and it seems to belong to Windows word. You already scanned your files by different AV tools, as you said and they found nothing.
Maybe you downloaded some Windows software from some sites, and backed it up with you mac to iCloud drive. During transfer process sonic found something suspicious in your outgoing traffic. Check you have latest virus definition and engine updates installed on appliance.
If it appeared only once in SonicWall logs, my suggestion is to forget about, and spend freed time with people you love.
Позвоните родителям. :)
Link
User profile for user: etresoft
etresoft
User level: Level8 48,190 points
Apr 1, 2019 10:31 AM in response to repacc
repacc wrote:
Good option, but we are not ready for such kind of changes)
Then you need to consider what options you have.
Your security firewall is blocking basic security operations and flagging them as malware. You could try disabling your operating system security to clear these events. In addition to the obvious downsides of no longer security, there may be unforeseeable consequences like 1) random failures of other operating system services that depend on these security features, and 2) reinstallation of basic operating system security during software update. However, it would not be ethical for me to tell you how to disable your operating system services, so I can’t provide instructions on this.
You can see if you can configure your security appliance to understand issues such as 1) basic networking, 2) internet networking, or 3) standard operating system security services. Realistically, this is probably your best option. Your appliance user manual or technical support can give you instructions on how to configure settings. I don’t know which exact appliance you have so I can’t provide more detailed instructions. But the goal here is to disable the non-functional security aspects of your device so that it can behave like a normal, albeit extraordinarily expensive, network router.
Link
User profile for user: BobTheFisherman
BobTheFisherman
User level: Level10 80,707 points
Mar 11, 2019 11:29 AM in response to repacc
Uninstall any third party anti virus app you have running.
Link
User profile for user: etresoft
etresoft
User level: Level8 48,190 points
Mar 11, 2019 2:44 PM in response to Grant Bennet-Alder
I think the question is in reference to 17.253.123.204, which is an Apple IP address.
It sounds like the OP needs to call the security appliance repair service.
Link
User profile for user: etresoft
etresoft
User level: Level8 48,190 points
Apr 1, 2019 9:11 AM in response to repacc
repacc wrote:
Do you have any suggestions what am I suppose to do next?)
Put the sonic wall into the sonic trash?
Link
Trojan detected by gateway AV from rumow2-vip-bx-004.aaplimg.com