cancel
Showing results for 
Search instead for 
Did you mean: 

Confusion with IDS and AMP

Getting noticed

Confusion with IDS and AMP

Hi Meraki Community,

 

On 2/28/18 we received the an IDS alert. Below is the screen shot of the alert from the Meraki security center. What I find very confusing is the Meraki has tagged this as malicious, however it allowed it. But then I called Meraki support, they stated that the firewall actually blocked it. They said the reason it shows allowed is they let a single packet through to scan, saw it was malicious, and then blocked the rest of the file. If that is the case, why not tag is as blocked on the dashboard?

 

First Alert.JPG

Then it gets weirder. Today we received an email alert stating the same file has gone from an unknown to malicious deposition. But Meraki support told me the first alert was known to be malicious and actually blocked (even though it reads allowed), so why am I now getting an alert stating as of today it's now malicious.

 

Today Email.JPGNow if I go into security center here is what I see:

 

Today SC.JPG

 

My gut tells me the first alert on the 28th was not blocked, but actually allowed, and now the Meraki knows it was an actual threat. HOWEVER, if that is the case, why does the alert on the 28th state Malicious?

4 REPLIES 4
Kind of a big deal

Re: Confusion with IDS and AMP

When a file goes through a SHA256 hash is generated.  Sometimes a files disposition is considered suspicious but not confirmed to be malware.  I think this is what happened with your first log.

 

Then later it is confirmed to be malware.  I think this is what has generated the second event log.

Meraki Employee

Re: Confusion with IDS and AMP

I think @PhilipDAth is correct, what you experienced was most likely a retrospective malware detection from the AMP engine, it probably was not blocked the first time as you suspected, but was perhaps initially flagged as an unknown.

Kind of a big deal

Re: Confusion with IDS and AMP

I don't believe Support was correct when you initially called. As @PhilipDAth mentioned, when that file originally passed through the MX a hash was created. At the time, the file was not known to be malicious so it was allowed. The original event log entry is accurate. 

 

The alert you later received is a change in classification of the file (hence the retrospect mention). If the same file is downloaded again today, it will be blocked now that AMP knows it's malicious. 

MRCUR | CMNO #12
Getting noticed

Re: Confusion with IDS and AMP

That is what I thought, but why would the Meraki tag it as "malicious" -- shouldn't it be "unknown", or was it tagged as malicious because it thought it was?

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.