Safe Access High volume of alerts for 'security reasons (malicious)'

Currently reading
Safe Access High volume of alerts for 'security reasons (malicious)'

fredbert

Moderator
NAS Support
Subscriber
2,330
954
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
This is a story, or sorts, about getting a noisy security alert.


Starting around 21:00 last Friday evening (28th May) I got a few and then a lot of Safe Access alerts about local devices trying to access 52.113.194.132. Checking on AbuseDB I find I'm not alone. The AbuseDB lookup indicated this destination is owned by Microsoft and people are suggesting MS Teams, as well as many reports stating the alert is from Synology router or Safe Access.

I have to use MS Teams for business and it is always accessible: any PC or mobile device can still be connected even after I 'log off' from work. It's not just my devices creating the alerts and so I find my kids have Teams for educational purposes too.

What to do? Should I create an exception to tell Safe Access to allow access to this IP address? Should I sit it out and get bombarded with alerts?

My hunch was that these are false-positives and that the IP address was incorrectly included in one of Safe Accesses external databases:
  • Threat Intelligence
  • Google Safe Browsing
But what it if wasn't?

Since no-one was complaining about blocked access or an app not working I decided the safest thing to do was reduce how I get alerted but not to add an exception. In essence, sit it out.

To reduce the annoyance of email alerts: I still have FeedBin as a paid RSS aggregator (less used now I run FreshRSS) which has an email-to-feed feature. So I stopped emailing SRM notifications to an 'admin' address on my personal domain (which also fwds to FeedBin) and just sent alerts direct to FeedBin. Also I still have alerts in DS router on iOS, unless they too get frequent, but they don't.

Addressing the cause of the alerts: I periodically accessed SRM's Control Panel and manually requested updates for these two databases. For a while this didn't fix the alerts. Until overnight and the last alert was 01:00 on 30th May... 28 hours and 112 alerts later. Since then there have been no more on this but devices using Teams have been used.

Looking back on AbuseDB and the reports stopped by the middle of 30th, but now two more have been raised today. My guess is that I was right and one of the databases had false information which is now fixed, but some routers haven't yet got/polled for the update.



I don't recall the built-in refresh period that SRM uses but it won't be every 15 minutes or hourly, which would be fairly standard in business. Therefore, a manually approach is needed to re-polling for updates. This way you get the latest data, however long it takes to have the fix inserted, as soon as you can.

My view is that if a suspected false-positive isn't causing havoc then it's better to have it, and the alerts (suppressed?), than to unknowingly open a hole to and to find your suspicion was wrong.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Top