An IPS / IDS / UTM detects 50 connections from a single client containing Virus/Worm Eicar test string within half an hour. The destinations are IP addresses all around the world on port TCP/8333.
A real infection shouldn't send EICAR test files, but would rather be detected as the real threat. On the other hand, no human should be voluntarily doing this either. What's happening? False positive?
What's the traffic? The TCP port 8333 is used by Bitcoin cryptocurrency and VMware Server Management User Interface. Of these two, Bitcoin is the suspect as it's a peer-to-peer network.
Why would Bitcoin send out EICAR strings? The Bitcoin blockchain is distributed to every full nodes. In addition to money transfers the blockchain can contain messages and files. Someone indeed have uploaded the EICAR string to blockchain lately, and that wasn't even the first time:
Because the information on the blockchain is public, the messages aren't encrypted for confidentiality, but signed for integrity. That's why the string was sent out in plain text, exposing it for detection.
Probably the detections centralized within half an hour because the node had just downloaded the block 560154 and, therefore, became a source for other nodes downloading the same height of the blockchain. This will happen again occasionally, when someone requests for block 560154 or 440742. Or when someone repeats the prank.
Why IPS detected it while virus protection didn't? EICAR test file has a strict specification:
Any anti-virus product that supports the EICAR test file should detect it in any file providing that the file starts with the following 68 characters, and is exactly 68 bytes long:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
In the Bitcoin blockchain this string is in the middle of a huge file: it's not starting the file and the file is not exactly 68 bytes long. An IPS system on a firewall on UTM monitors the TCP packets instead of files. If there is a signature to detect this string, it can be anywhere in the TCP stream.