Is anyone else seeing quite a lot of alerts relating to a file that's been identified as malicious in retrospect at the moment?
The file looks to have come down from cdn.office.net
Solved! Go to Solution.
If you're talking about file i640.c2rx with sha256 d73298c7c8b8ce78f7003cf6832a8dd719ab4d240cf3e213fcf8824539c81873 yes, I'm seeing it across multiple networks currently, I'm hoping there more details to come...
Yes I have just seen this across many clients. when I look up hash on virus total it says item not found.
Support must be getting smashed as they are not answering....
Update: Got through to support and they are investigating but that this point they think a false positive. They are going to update the banner in security center once they know
We are seeing some of these pop up, and are currently investigating.
The file seems to be a recent O365 update, and we are trying to understand if this is a false positive.
Please bear with us!
We fall into the "us too" category.
Size: 1048576 bytes
Same here, it looks a false positive, our antivirus didn't detect it but MX yes, more info:
I'm getting slammed with hundreds of alerts this morning as well:
Seeing 131 clients affected across multiple networks.
Threat Name: i640.c2rx
First seen: 7:20AM EST
Size: 1048576 bytes
same for me today:
Same......seems to be "Spreading" over our network as clients come online this morning......good times.....good times...
Update: Found this in our Defender logs at same time of alert from Meraki.
+us too - same file, same pattern, multiple international locations
It would be good to know what Cisco TAC know about this - hopefully a false positive, and the alternative is not very promising.
False positive guys. This is a Microsoft update where they used the file type C2RX which is not on the inspection list in the Meraki AMP.
Use the URL in the alerts to search VirusTotal. VirusTotal - URL - 1a81b30aaf0e0f44b913a3a1f53d1ecd91d274b23d03cf866a4f57d32cb5f487 The hash won't work.
The article about file types in AMP is here Advanced Malware Protection (AMP) - Cisco Meraki
we started receiving these alerts from 12:18, at all of out sites looking at the url we thought it could be a false positive likely the denial of service request for SSL we had a few weeks ago..
Same here. Slight panic but I'd rather have a few false positives than a single true positive 😉
Coinciding with an internet disruption made me think the worst...
Been working all morning to determine where this is originating from on my network. Wish I had seen the marked as benign earlier.
So we are safe to say it is clear. Great now I will start working on what I intended to this morning
For me Meraki determined the downloads as coming from Turkey... The IP is 220.127.116.11 which is registered with a US company but this seems suspicious.