Finding malware out of small home/office network?

Started by HardTack5, June 18, 2025, 01:35:14 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 18, 2025, 01:35:14 AM
I suspect I have some malware running within my network. Small home office setup. < 30 devices.

Would Zenarmor help me track this down?
June 18, 2025, 09:51:04 AM #1
ZA is not an antivirus.

It can identify malware and other malicious thing based on sessions. Meaning if a device in your networks tries to connect to a know domain/IP that is in its DB flagged as malicious like malware, the connection TCP/UDP will be blocked and ZA will prevent that device to connect to such domain.

Regards,
S.
Networking is love. You may hate it, but in the end, you always come back to it.

OPNSense HW
APU2D2 - deceased
N5105 - i226-V | Patriot 2x8G 3200 DDR4 | L 790 512G - VM HA(SOON)
N100   - i226-V | Crucial 16G  4800 DDR5 | S 980 500G - PROD
June 18, 2025, 03:20:37 PM #2
You may want to use an offline (bootable) scanner:

https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-offline

Or maybe this other "online" scanner

https://www.trellix.com/downloads/free-tools/stinger/

These are the two that I've used and I normally run both the bootable Defender and then the Stinger after the reboot. I also run Trellix on my production system at work with their ePolicy Orchestrator which has proven to be "pretty good" at blocking things before they get started. Probably out of scope for you, but their cloud plan might fit if it was cheap enough.

As mentioned, Zenarmor can help block the suspected thing from getting commands from the web or downloading the real payload.
June 20, 2025, 03:20:23 AM #3
Offline bootable scanner on *what*  though? I've checked the PCs. I have 30 devices of various sorts, home assistants, game consoles, etc.  Cellphones.

I was hoping to to get a clue to point me in the right direction as to what device may be compromised (if one is). I appreciate Zenarmor isn't an AV, I'm not expecting it to resolve the problem, but if it could tell me there is potential malicious activity from IP x.y.z on the network that would be huge..



Quote from: Seimus on June 18, 2025, 09:51:04 AMZA is not an antivirus.

It can identify malware and other malicious thing based on sessions. Meaning if a device in your networks tries to connect to a know domain/IP that is in its DB flagged as malicious like malware, the connection TCP/UDP will be blocked and ZA will prevent that device to connect to such domain.

Regards,
S.

Quote from: Greg_E on June 18, 2025, 03:20:37 PMYou may want to use an offline (bootable) scanner:

https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-offline

Or maybe this other "online" scanner

https://www.trellix.com/downloads/free-tools/stinger/

These are the two that I've used and I normally run both the bootable Defender and then the Stinger after the reboot. I also run Trellix on my production system at work with their ePolicy Orchestrator which has proven to be "pretty good" at blocking things before they get started. Probably out of scope for you, but their cloud plan might fit if it was cheap enough.

As mentioned, Zenarmor can help block the suspected thing from getting commands from the web or downloading the real payload.
June 20, 2025, 08:19:07 AM #4
Hi,

Zenarmor displays this information in the Threats report under Reports - Threats when a user generates traffic to malicious domains or IPs.
June 20, 2025, 03:08:24 PM #5
In the time you've waited, you could have scanned every scannable device, start at the beginning and start going, don't wait for some magic tool that will pinpoint the problem. Nobody builds time for these things into their day, we just get down to business and deal with it.

If you get down to devices that can't be scanned, start pulling them off the network one by one to try and isolate what's going on.

Also nothing stopping you from installing the free version of Zenarmor and looking at the Live Connections and doing some simple filtering if you see a device that you want to inspect more deeply. Look at where things are connecting, and use a web search to see if that site is a possible problem.

There are other AV that you could try on some of the other devices, but most of the IOT stuff is just not available to fix like this. If you can reload firmware/OS on these after backing up the config, then that might be worth doing.
June 20, 2025, 04:02:45 PM #6
Some cheap Android phones and cheap Android media players come preloaded with malware.
OPNsense HW:

Minisforum Venus series UN100C, 16 GB RAM, 512 GB SSD
T-bao N9N Pro, 16 GB RAM, 512 GB SSD
June 23, 2025, 01:54:39 AM #7
All well and good and I appreciate the input, but I have a *suspicion* of malware. I have no clear indicator.

What I wanted to know which you have answered, thank you, is that Zenarmor *should* if something makes a malicious connection to the internet, flag that. That will at least give me a clue.

Once I track down offending devices I know how to resolve them.

Quote from: Greg_E on June 20, 2025, 03:08:24 PMIn the time you've waited, you could have scanned every scannable device, start at the beginning and start going, don't wait for some magic tool that will pinpoint the problem. Nobody builds time for these things into their day, we just get down to business and deal with it.

If you get down to devices that can't be scanned, start pulling them off the network one by one to try and isolate what's going on.

Also nothing stopping you from installing the free version of Zenarmor and looking at the Live Connections and doing some simple filtering if you see a device that you want to inspect more deeply. Look at where things are connecting, and use a web search to see if that site is a possible problem.

There are other AV that you could try on some of the other devices, but most of the IOT stuff is just not available to fix like this. If you can reload firmware/OS on these after backing up the config, then that might be worth doing.
June 23, 2025, 12:58:15 PM #8
Keep in mind ZA is proactive not reactive. If there is already a malware somewhere in your network, the reactive part needs to be on you.

Depending on the type of malware, it may not even try to connect to the Internet, or it can be dormant and try to reach to a remote destination later. That remote destination however must be in ZA database if its not it will not identify it.

Regards,
S.
Networking is love. You may hate it, but in the end, you always come back to it.

OPNSense HW
APU2D2 - deceased
N5105 - i226-V | Patriot 2x8G 3200 DDR4 | L 790 512G - VM HA(SOON)
N100   - i226-V | Crucial 16G  4800 DDR5 | S 980 500G - PROD
June 24, 2025, 07:54:55 AM #9
Thank you. I was always planning to go ZA on this firewall anyway (quad core zeon with 24GB ram and intel i350) and really this has push me towards finally getting it on.

Looks great so far. Not sure I need to protect my WAN nic though, it's detecting ipv6 devices 'on the net'

Quote from: Seimus on June 23, 2025, 12:58:15 PMKeep in mind ZA is proactive not reactive. If there is already a malware somewhere in your network, the reactive part needs to be on you.

Depending on the type of malware, it may not even try to connect to the Internet, or it can be dormant and try to reach to a remote destination later. That remote destination however must be in ZA database if its not it will not identify it.

Regards,
S.
June 24, 2025, 01:38:45 PM #10
Hi,

Zenarmor is designed to protect the LAN side of the network, but it can also be used to protect the WAN interface. For optimal security, it is recommended to use Zenarmor for LAN protection and OPNsense's IDS/IPS (Suricata) for protecting the WAN interface.
June 25, 2025, 03:29:02 PM #11
Yeah, Zenarmor could definitely help. It's pretty good at monitoring network traffic and spotting suspicious stuff. For a small setup like yours, it can give you useful insights without being too heavy. Just make sure you configure it right and keep an eye on alerts. It's not a magic fix but definitely a solid tool to add to your toolkit.
Print
Go Up Pages1
User actions