Confusion with IDS and AMP

LV_MW_MSP
Getting noticed

Confusion with IDS and AMP

Hi Meraki Community,

 

On 2/28/18 we received the an IDS alert. Below is the screen shot of the alert from the Meraki security center. What I find very confusing is the Meraki has tagged this as malicious, however it allowed it. But then I called Meraki support, they stated that the firewall actually blocked it. They said the reason it shows allowed is they let a single packet through to scan, saw it was malicious, and then blocked the rest of the file. If that is the case, why not tag is as blocked on the dashboard?

 

First Alert.JPG

Then it gets weirder. Today we received an email alert stating the same file has gone from an unknown to malicious deposition. But Meraki support told me the first alert was known to be malicious and actually blocked (even though it reads allowed), so why am I now getting an alert stating as of today it's now malicious.

 

Today Email.JPGNow if I go into security center here is what I see:

 

Today SC.JPG

 

My gut tells me the first alert on the 28th was not blocked, but actually allowed, and now the Meraki knows it was an actual threat. HOWEVER, if that is the case, why does the alert on the 28th state Malicious?

4 Replies 4
PhilipDAth
Kind of a big deal
Kind of a big deal

When a file goes through a SHA256 hash is generated.  Sometimes a files disposition is considered suspicious but not confirmed to be malware.  I think this is what happened with your first log.

 

Then later it is confirmed to be malware.  I think this is what has generated the second event log.

MerakiDave
Meraki Employee
Meraki Employee

I think @PhilipDAth is correct, what you experienced was most likely a retrospective malware detection from the AMP engine, it probably was not blocked the first time as you suspected, but was perhaps initially flagged as an unknown.

LV_MW_MSP
Getting noticed

That is what I thought, but why would the Meraki tag it as "malicious" -- shouldn't it be "unknown", or was it tagged as malicious because it thought it was?

MRCUR
Kind of a big deal

I don't believe Support was correct when you initially called. As @PhilipDAth mentioned, when that file originally passed through the MX a hash was created. At the time, the file was not known to be malicious so it was allowed. The original event log entry is accurate. 

 

The alert you later received is a change in classification of the file (hence the retrospect mention). If the same file is downloaded again today, it will be blocked now that AMP knows it's malicious. 

MRCUR | CMNO #12
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels