IDS Alarms indicating Trojan Checkin

Geigs-velen · November 17, 2020, 2:39am

I installed a new router about 2 months ago(Unifi UDM-Pro). Recently I’ve been getting alerts related to Trojan checkins from an IP that appears to be on a blizzard netblock.

|Threat Management Alert 1: A Network Trojan was Detected. Signature ET TROJAN Netwire RAT Check-in. From: 24.105.35.225:3724, to: 192.168.0.130:55751, protocol: TCP|4:56 pm|11/11/2020||

||Threat Management Alert 1: A Network Trojan was Detected. Signature ET TROJAN Netwire RAT Check-in. From: 24.105.37.58:3724, to: 192.168.0.130:49628, protocol: TCP|10:54 pm|11/09/2020||

Is this something I should whitelist?

Gravdarian-dunemaul · December 3, 2020, 6:50pm

I am getting the same message.

Talzari-uther · December 9, 2020, 1:58am

Close the battle.net client when you don’t need it. That is probably what is talking to blizzard. My UDM Pro gives the same trigger.

Azken-stormrage · December 9, 2020, 2:23am

i’m also on a udm pro and getting the same alerts i whitelisted it

Satele-uldaman · December 12, 2020, 5:37am

I got the same thing, while in a dungeon 4 days in a row it would lag me out at around 6pm, and I’d hit loading screens on that toon (could log in other toons) for a few minutes. (on a usg-pro-4) Didn’t know what it was till I looked at the logs.

I have now whitelisted Both / Subnet / 24.105.32.0/21 on the Threat Management Allow List… as I think that covers their IPs, not sure if this is right or not… maybe a network guru can chime in

Baloobear-lightbringer · December 20, 2020, 5:52am

I’ve been frustrated for the last month over (very) random lockups during dungeons. I can still see chat and boss moves, but I can’t do anything. I can’t exit the game without a hard Alt-F4.

It took too long to figure out it was Snort IDS triggering the same as mentioned in this thread. I couldn’t log back in until I removed the block, then it immediately worked.

The source IP:port for me was 34.123.213.250:3724. Description is “ET TROJAN Netwire RAT Check-in”

Shazzbott-rexxar · March 3, 2021, 6:22am

Yup I’m getting this on my USG Pro as well. Whitelisted a couple of known Blizzard subnets, but I’m still getting blocks on IPs - coming from google oddly enough. Smells like analytics collection, but it’s weird it kills my game-world connection.

Beldorm-stormrage · March 5, 2021, 7:32pm

Also getting same, Source IP is 35.222.66.32 : 3724. Been getting a few hard DCs over the past couple of weeks. Blizzard what is this?

Austral-blood-furnace · April 12, 2021, 11:24pm

Getting this too. What have they started doing in Shadowlands that is tripping IPS???

Talzari-uther · April 13, 2021, 4:05pm

Upgrade your UDM firmware. These alerts were due to a bug in the threat management on your end not with Blizzard.

Shazzbott-rexxar · April 18, 2021, 2:52pm

Still getting this after the last USG firmware update.

Bizaw-aggramar · May 14, 2021, 1:55am

I’m also getting these alerts. Does anyone know if Blizzard has a list of their known subnets anywhere? I’m having some trouble finding anything.

Kaldraydis-1147 · May 14, 2021, 4:44pm

Hello everyone!

We are unable to assist with third party software/hardware. For assistance with security alerts provided by Unifi UDM-Pro please contact the device/software provider. The most likely case is a false positive that needs to be reported to their team.

Wish we had a more direct solution here but I do hope the info helps. If there’s anything else you might need just let us know.