Advanced Malware Protection (AMP) retrospect alert

SOLVED
martin-netx
Getting noticed

Advanced Malware Protection (AMP) retrospect alert

Is anyone else seeing quite a lot of alerts relating to a file that's been identified as malicious in retrospect at the moment?

 

The file looks to have come down from cdn.office.net 

Thanks

1 ACCEPTED SOLUTION
TierneyC
Conversationalist
33 REPLIES 33
eyre-jr
Here to help

If you're talking about file i640.c2rx with sha256 d73298c7c8b8ce78f7003cf6832a8dd719ab4d240cf3e213fcf8824539c81873 yes, I'm seeing it across multiple networks currently, I'm hoping there more details to come...

Thanks eyre-jr,

 

Yes the hash looks the same. Security centre reports the threat as: W32.D73298C7C8-69.SBX.VIOC

CharlieCrackle
Building a reputation

Yes I have just seen this across many clients.  when I look up hash on virus total it says item not found. 

 

Support must be getting smashed as they are not answering....

 

Update:  Got through to support and they are investigating but that this point they think a false positive.  They are going to update the banner in security center once they know

 

Enviable1
Conversationalist

Does anyone have any ideas about what it is, best i can guess is its an O365 update

Shigella
Conversationalist

Yes sir...seeing the same thing.  Good times.

GiacomoS
Meraki Employee
Meraki Employee

Hey team,


We are seeing some of these pop up, and are currently investigating. 

The file seems to be a recent O365 update, and we are trying to understand if this is a false positive.

 

Please bear with us!

Giac

Please keep in mind that what I post here is my personal knowledge and opinion. Don't take anything I say for the Holy Grail, but try and see!
Appreciate who helps and be respectful of every opinion and every solution offered.
Share the love, especially the Meraki one!
Shotgunner71
New here

Getting hammered with this also, end users are only surfing "msn.com" for news.

Jameson
Getting noticed

We fall into the "us too" category.

SHA256: d73298c7c8b8ce78f7003cf6832a8dd719ab4d240cf3e213fcf8824539c81873
Filename: i640.c2rx
Type: Zip
Size: 1048576 bytes

URLs:
http://b.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/16.0.15601.20088/...
http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/16.0.15601.20088/...

dagarva
Here to help

CIO1
Conversationalist

I'm getting slammed with hundreds of alerts this morning as well:

 

SHA256: d73298c7c8b8ce78f7003cf6832a8dd719ab4d240cf3e213fcf8824539c81873
Disposition: Malicious
Type: ZIP
Size: 1.0 MB
TierneyC
Conversationalist

Seeing 131 clients affected across multiple networks.  

 

Threat Name: i640.c2rx

First seen: 7:20AM EST

Size: 1048576 bytes

SHA256: d73298c7c8b8ce78f7003cf6832a8dd719ab4d240cf3e213fcf8824539c81873

 

MattLeMoo
Conversationalist

We also have the same issue, ticket reported straight away and at the time they didn't have other reports, looks like they are rolling in now.

cucsoi
Conversationalist

same for me today:

i640.c2rx

SHA256d73298c7c8b8ce78f7003cf6832a8dd719ab4d240cf3e213fcf8824539c81873
DispositionMalicious
TypeZIP
Size1048576 bytes

waiting to hear good news

HaniAbuelkhair4
Getting noticed

same here this this is not the 1st time to consider Office update as Malicious 

Anyone contacted Cisco Support ?

 

 

Einstein
Getting noticed

Same......seems to be "Spreading" over our network as clients come online this morning......good times.....good times...

 

Update: Found this in our Defender logs at same time of alert from Meraki.

Einstein_0-1662556708512.png

Einstein_1-1662556887731.png

 

 

MLX
New here

same here too.

source [xxxx].[cdn].[office].[net]...

Coupe2112
Getting noticed

+ us too

EricI
Here to help

+us too - same file, same pattern, multiple international locations

It would be good to know what Cisco TAC know about this - hopefully a false positive, and the alternative is not very promising.

smac
Conversationalist

I'm thinking that TAC is aware, as Talos is the one flagging it, I think.  https://talosintelligence.com/sha_searches

Kieshan
Here to help
hotfist
New here

That's a different SHA256 hash though?

ALTO_MSSP
New here

Same issue across multiple clients

 

2022-09-07_14h18_40.png

JohnOzturk
New here

False positive guys. This is a Microsoft update where they used the file type C2RX which is not on the inspection list in the Meraki AMP. 

 

Use the URL in the alerts to search VirusTotal. VirusTotal - URL - 1a81b30aaf0e0f44b913a3a1f53d1ecd91d274b23d03cf866a4f57d32cb5f487 The hash won't work.

 

The article about file types in AMP is here Advanced Malware Protection (AMP) - Cisco Meraki

smac
Conversationalist

I think that it is Talos that flagged the file:  https://talosintelligence.com/sha_searches  Put in the SHA and Talos has that flagged. 

AmyReyes
Community Manager
Community Manager

Hi folks! As @GiacomoS said, the Meraki team is aware and investigating this issue currently. You can subscribe to this post for updates, which we will share as we have them. Thank you!

 

ETA: I'm going to mark this as the solution for now for greater visibility. 

alankevinr
Here to help

we started receiving these alerts from 12:18, at all of out sites looking at the url we thought it could be a false positive likely the denial of service request for SSL we had a few weeks ago.. 

 

alankevinr_0-1662557308558.png

 

EricI
Here to help

Is anyone aware of the effect on the Office clients - do they recover after the failed download?
Is the blocked update a Security or Feature update?

Graphit
Conversationalist

Same here. Slight panic but I'd rather have a few false positives than a single true positive 😉

 

Coinciding with an internet disruption made me think the worst...

TierneyC
Conversationalist

LoneWolfITDEPT
New here

Been working all morning to determine where this is originating from on my network. Wish I had seen the marked as benign earlier. 

So we are safe to say it is clear. Great now I will start working on what I intended to this morning

Esparanza
New here

For me Meraki determined the downloads as coming from Turkey... The IP is 8.252.195.124 which is registered with a US company but this seems suspicious.

 

SHA256 d73298c7c8b8ce78f7003cf6832a8dd719ab4d240cf3e213fcf8824539c81873

that's a distribution node on Level3's backbone. They have endpoints all over, and are pretty much a tier 0 network

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels