I'm wondering if anyone else has run across this problem before. I have been noticing that my Hyper-V servers have been triggering the Meraki IDS system periodically when they replicate over the WAN. When I inspected the packets that triggered the IDS it was full of what appeared to be some sort of malware. I was initially very nervous, but it just didn't seem to add up and probably wasn't what it appeared to be. After further investigation I discovered that the IDS alerts would trigger just a few minutes after a Windows Defender update on one of my virtual machines. The Windows Defender definition updates on a virtual machine would trigger replication, and then the Meraki IDS would intercept the replication packets over port 80 and block it. I decided to configure replication to happen over 443 instead of 80 and now the IDS alerts have stopped.
Has anyone else seen this happen before? Meraki support says that they have never heard of this happening. I can't think I'm the only one.