DCS_Updater.exe gets blocked by Palo Alto Cortex XDR

[Wizard1393]

Palo Alto Cortex XDR-protection software blocks DCS_Updater.exe stating it performs host sweeps and tries to connect to malicious IP. I’d advise ED to contact Palo Alto and straighten this out.

This the exact block reason message:

Performed a host sweep | High

Once a system is compromised, the attacker often attempts to discover other systems on the network to target. One technique for finding these systems is to perform a host sweep, which involves sending specially crafted packets to each IP address in the subnet to discover and identify the addressed system.

 

Connected to a malicious IP | High

Malware authors often reuse malicious IPs names across multiple pieces of malware. It is common to find a known malicious IP used in an otherwise unknown piece of malware.

Edited November 13, 2021 by chrisofsweden

[maximov]

You have two options: delete dcs_updater.exe (and the entire simulator) or exclude the DCS folder for your antivirus to check.

[Wizard1393]

3 hours ago, maximov said:

You have two options: delete dcs_updater.exe (and the entire simulator) or exclude the DCS folder for your antivirus to check.

Ok… To be fair, it’s an answer, not a reassuring one, but an answer. Excluding it is not an option in this case, out of my reach.  Would you care to explain why Palo Alto thinks your software connects to malicious IP:s?

I’m thinking it might be good to contact them if your IP series is falsely tagged as malicious. 

[silverdevil]

17 hours ago, chrisofsweden said:

Ok… To be fair, it’s an answer, not a reassuring one, but an answer. Excluding it is not an option in this case, out of my reach.  Would you care to explain why Palo Alto thinks your software connects to malicious IP:s?

I’m thinking it might be good to contact them if your IP series is falsely tagged as malicious. 

a couple possibilities. one is the IP of the download server has been marked malicious because it is in a subnet range of hosts that were flagged. like blowing up an entire neighborhood because one house was selling drugs. another is the IP itself has been flagged because of geo location. with all the BS hacking in the world it could be this. whoever manages your router needs to see if it is being blocked because of GEO location. again this is calling out one place because of where the IP originates. there are many countries that are suggested to block. but exceptions can surely be made. lastly the dcs update downloads a hundreds of files in packs and it could be auto flagged by palo alto device.

[Wizard1393]

Excellent answer silverdevil. Idk how this works in reality, but wouldn't ED be able to contact Palo Alto and basically say, "Hey we have this IP now and we're not malicious, we're a software company that develop the worlds most popular combat flight simlulator. Please remove us from your malicious IP list, or at least OUR specific IP-addresses in that range." ?

[Feeleen]

Hello, we are ready to continue working with your request in the support system, please create a ticket:
https://www.digitalcombatsimulator.com/en/support/?add=Y
Many thanks!

[silverdevil]

1 hour ago, chrisofsweden said:

Excellent answer silverdevil. Idk how this works in reality, but wouldn't ED be able to contact Palo Alto and basically say, "Hey we have this IP now and we're not malicious, we're a software company that develop the worlds most popular combat flight simlulator. Please remove us from your malicious IP list, or at least OUR specific IP-addresses in that range." ?

i am a sys admin for a defense contractor. this comes up a lot. normally the exception would be added at the router. every router admin would need to make the decision for themselves and their environment. palo alto allowing it for all routers would not be likely. not everyone needs DCS allowed. but you can also try to install a VPN software that may get you through it. that is probably what DCS support will give you as a possible solution.

[Dragon1-1]

Well, since the IP in question can be confirmed as being owned by a legitimate commercial entity, there shouldn't be any problems with whitelisting it. Not everyone needs DCS, but as long as ED owns the IP, nobody needs to block it, since there's no chance of any malware coming from there unless the whole company is compromised (and if that ever happens, IPs in question can be quickly blacklisted by hand). It's highly unlikely that it was blocked for a legitimate reason.

[Wizard1393]

Support ticket submitted. I’ll try my best to supply any more info as needed if requested. Thanks all. 

[Wizard1393]

Update: After reaching out to Palo Alto regarding this issue, requesting review, they have now removed the malicious tag on the executable and IP-addresses/range that DCS_updater.exe communicates with.