(Likely) False Positive from Advanced Malware Protection

Solved
josephcouture
New here

(Likely) False Positive from Advanced Malware Protection

Not sure if anyone else is seeing this, but we've started getting alerts in from multiple networks that the local MX AMP is flagging an Apple iOS update as malware retrospectively.

 

File Hash:

6b9a47304497324fe40e3ccfba43bbb056c152500550849d1597fc47b4ebab35 (link)

Download Info:

2020-11-05 11:11 AM PST, by [EDACTED]

File URI / Server IP:

http://updates-http.cdn-apple.com/2020FallFCS/mobileassets/001-62165/F4052D84-DC41-414E-90A4-7E6E971... (17.253.31.202)

Original Disposition:

Unknown

1 Accepted Solution
Meraki-MX
Meraki Employee
Meraki Employee

Hello,

 

We apologize for the inconvenience.

 

The AMP Research and Efficacy Team (RET) are aware and currently investigating the issue. The immediate issue should be fixed now. The current hash is marked clean.

 

Thank you.

View solution in original post

12 Replies 12
Captain_Murphy
Here to help

I had this pop a few minutes ago. Based upon the URL, I would think it is a false positive as well.

jbright
A model citizen

Ditto. I just saw this same alert from several customer networks.

 

Bruce
Kind of a big deal

Seeing the same thing here

Bruce
Kind of a big deal

Talos has labelled one of my files with detection name

W32.42D7434E10-95.SBX.TG

My understanding this is due to a detonation being detected in a Threatgrid Sandbox - probably an automated response. Hopefully the human Talos team will get on top of this soon.  Hoping Apple hasn’t really resorted to pushing malware to take over the world 😀

JW2
New here

Same here.

npoles
New here

Same here.

It looks like there might be another for macOS updates too? I believe Apple pushed iOS, macOS, watchOS, and tvOS last night. 

 

File Hash:42d7434e105150eb67b63c695733710fb552b34de07c93f418814895e4144edd
File URI / Server IP:http://updates-http.cdn-apple.com/2020FallFCS/mobileassets/001-72438/F3289535-A95F-4A79-BE4E-7B78AA5... (17.253.125.204)
Original Disposition:Unknown
DarrenOC
Kind of a big deal
Kind of a big deal

Same here 

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
Dave2000
Here to help

Same alert here. First odd thing was the alert was coming from one network and the device was located on a different network. The Ip address did not match that network segment. When I created a case the agent said it looks like a legit file, just disable AMP to download it... Wow... Just wow. 

nkm
New here

Just received reply from Cisco Rep

 

Yes, we have been reported that by our client its is Apple's new software update that is causing this alerts it is a false alarm. These alerts are been generated on devices that are on iOS 14.2

Dave2000
Here to help

My devices are on not 14.2

 

OS

Version
iOS 13.7
OS Build
17H35
skeenster
Comes here often

Got the same notification by email..  Must be a false positive?

Meraki-MX
Meraki Employee
Meraki Employee

Hello,

 

We apologize for the inconvenience.

 

The AMP Research and Efficacy Team (RET) are aware and currently investigating the issue. The immediate issue should be fixed now. The current hash is marked clean.

 

Thank you.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels