Hi Meraki Community,
On 2/28/18 we received the an IDS alert. Below is the screen shot of the alert from the Meraki security center. What I find very confusing is the Meraki has tagged this as malicious, however it allowed it. But then I called Meraki support, they stated that the firewall actually blocked it. They said the reason it shows allowed is they let a single packet through to scan, saw it was malicious, and then blocked the rest of the file. If that is the case, why not tag is as blocked on the dashboard?
Then it gets weirder. Today we received an email alert stating the same file has gone from an unknown to malicious deposition. But Meraki support told me the first alert was known to be malicious and actually blocked (even though it reads allowed), so why am I now getting an alert stating as of today it's now malicious.
Now if I go into security center here is what I see:
My gut tells me the first alert on the 28th was not blocked, but actually allowed, and now the Meraki knows it was an actual threat. HOWEVER, if that is the case, why does the alert on the 28th state Malicious?
When a file goes through a SHA256 hash is generated. Sometimes a files disposition is considered suspicious but not confirmed to be malware. I think this is what happened with your first log.
Then later it is confirmed to be malware. I think this is what has generated the second event log.
I think @PhilipDAth is correct, what you experienced was most likely a retrospective malware detection from the AMP engine, it probably was not blocked the first time as you suspected, but was perhaps initially flagged as an unknown.
I don't believe Support was correct when you initially called. As @PhilipDAth mentioned, when that file originally passed through the MX a hash was created. At the time, the file was not known to be malicious so it was allowed. The original event log entry is accurate.
The alert you later received is a change in classification of the file (hence the retrospect mention). If the same file is downloaded again today, it will be blocked now that AMP knows it's malicious.
That is what I thought, but why would the Meraki tag it as "malicious" -- shouldn't it be "unknown", or was it tagged as malicious because it thought it was?