I have a GC510P switch accessing the Internet thru a Firewalla Firewall which detected that it was accessing the site 94.16.114.254 on port UDP 123 (ntp). This IP address is flagged by 7 vendors in VirusTotal as Malware.
I have this setup for more than a year now and this is the first time a get a malware flag on any Netgear Products.
Has anyone experience the same issue? is there a explanation for this switch accessing this IP address?
Are there any computers directly connected to the GC510P? If yes, it is possible that one or several computers are accessing the malware site.
To further isolate the problem, I suggest you to set up port mirroring on the GC510P. Select one or more ports as source ports on the GC510P. Then, select one port as destination port on the GC510P where a computer (installed with Wireshark) is directly connected. Run Wireshark and observe. It would be best that Wireshark would be able to capture what occurs through the source ports (accessing the malware site). The moment that it captures it, stop Wireshark and save the packet capture.
Kindly read page 387 of the GC510P user manual here on how to set up port mirroring. You may download Wireshark on this link. As reference, check this link I found online on how to use Wireshark.
For the captured packets to be analyzed, kindly open a support ticket with NETGEAR Support here and attach the captured packets from Wireshark for it to be analyzed by the NETGEAR Support team.
