Meraki

josephcouture · ‎Nov 6 2020

Not sure if anyone else is seeing this, but we've started getting alerts in from multiple networks that the local MX AMP is flagging an Apple iOS update as malware retrospectively.

File Hash:	6b9a47304497324fe40e3ccfba43bbb056c152500550849d1597fc47b4ebab35 (link)
Download Info:	2020-11-05 11:11 AM PST, by [EDACTED]
File URI / Server IP:	http://updates-http.cdn-apple.com/2020FallFCS/mobileassets/001-62165/F4052D84-DC41-414E-90A4-7E6E971... (17.253.31.202)
Original Disposition:	Unknown

Meraki-MX · ‎Nov 6 2020

Hello,

We apologize for the inconvenience.

The AMP Research and Efficacy Team (RET) are aware and currently investigating the issue. The immediate issue should be fixed now. The current hash is marked clean.

Thank you.

View solution in original post

Captain_Murphy · ‎Nov 6 2020

I had this pop a few minutes ago. Based upon the URL, I would think it is a false positive as well.

jbright · ‎Nov 6 2020

Ditto. I just saw this same alert from several customer networks.

Bruce · ‎Nov 6 2020

Seeing the same thing here

Bruce · ‎Nov 6 2020

Talos has labelled one of my files with detection name

W32.42D7434E10-95.SBX.TG

My understanding this is due to a detonation being detected in a Threatgrid Sandbox - probably an automated response. Hopefully the human Talos team will get on top of this soon. Hoping Apple hasn’t really resorted to pushing malware to take over the world 😀

JW2 · ‎Nov 6 2020

Same here.

npoles · ‎Nov 6 2020

Same here.

It looks like there might be another for macOS updates too? I believe Apple pushed iOS, macOS, watchOS, and tvOS last night.

File Hash:	42d7434e105150eb67b63c695733710fb552b34de07c93f418814895e4144edd
File URI / Server IP:	http://updates-http.cdn-apple.com/2020FallFCS/mobileassets/001-72438/F3289535-A95F-4A79-BE4E-7B78AA5... (17.253.125.204)
Original Disposition:	Unknown

DarrenOC · ‎Nov 6 2020

Same here

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.

Dave2000 · ‎Nov 6 2020

Same alert here. First odd thing was the alert was coming from one network and the device was located on a different network. The Ip address did not match that network segment. When I created a case the agent said it looks like a legit file, just disable AMP to download it... Wow... Just wow.

nkm · ‎Nov 6 2020

Just received reply from Cisco Rep

Yes, we have been reported that by our client its is Apple's new software update that is causing this alerts it is a false alarm. These alerts are been generated on devices that are on iOS 14.2

Dave2000 · ‎Nov 6 2020

My devices are on not 14.2

OS

Version

iOS 13.7

OS Build

17H35

skeenster · ‎Nov 6 2020

Got the same notification by email.. Must be a false positive?

Meraki-MX · ‎Nov 6 2020