2nd Malware Detected - i640.c2rx

Solved
Martyrob
New here

2nd Malware Detected - i640.c2rx

So I got the AMP alert earlier that has been deemed False Positive but I don't see a thread regarding the one I just received for i640.c2rx

http://b.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/16.0.16227.20258/i640.c2rx 

 

Has anyone else seen this one as well and do we know if it's also a false positive?

1 Accepted Solution
BlakeRichardson
Kind of a big deal
Kind of a big deal

Meraki have reported an issue with windows update traffic this morning.

 

https://status.meraki.net/incidents/66pj1lx1m4vs

 

 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

View solution in original post

7 Replies 7
triad
New here

I just got this AMP alert as well - 11:55 CST. No info on if false positive as of yet.

Martyrob
New here

When I did a search looks like this was a false positive last Sept. But you know probably better safe than sorry to see if Meraki can confirm.

StevePF
Getting noticed

I am still waiting for a reply from the Meraki Case I opened.

But it looks like a false positive according to virustotal.com.  Perhaps a windows patch that is not properly classified? 

 

 

 

StevePF_0-1681405533879.png

 

Jameson
Getting noticed

We are in the "Mee too" Category! Thanks for starting a seperate thread.

Source Location: b.c2r.ts.cdn.office.net

File: i640.c2rx (W32.7B9E2002CA.RET.SBX.TG)

SHA256: 7b9e2002cacef4817353464f9845e294845daef8b28adeab55e76b3c8278ff18

First notification was received: 4/13/2023 11:04 AM Eastern

Jameson
Getting noticed

We have seen this filename before ( i640.c2rx on 9/7/2022) but the SHA256 hash that we are getting back is different this time. Also, when I search VirusTotal for the SHA256 hash, it doesn't find anything.

When I download the file from the URL that is blocked by the FW, that file has a different SHA256 hash that is in VirusTotal. I'm not sure what is going on

Jameson
Getting noticed

Following up... This file is now marked as "clean" for me and is no longer appearing in the dashboard alerts. I believe this has been "resolved"

BlakeRichardson
Kind of a big deal
Kind of a big deal

Meraki have reported an issue with windows update traffic this morning.

 

https://status.meraki.net/incidents/66pj1lx1m4vs

 

 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels