(Likely) False Positive from Advanced Malware Protection

SOLVED
josephcouture
New here

(Likely) False Positive from Advanced Malware Protection

Not sure if anyone else is seeing this, but we've started getting alerts in from multiple networks that the local MX AMP is flagging an Apple iOS update as malware retrospectively.

 

File Hash:

6b9a47304497324fe40e3ccfba43bbb056c152500550849d1597fc47b4ebab35 (link)

Download Info:

2020-11-05 11:11 AM PST, by [EDACTED]

File URI / Server IP:

http://updates-http.cdn-apple.com/2020FallFCS/mobileassets/001-62165/F4052D84-DC41-414E-90A4-7E6E971... (17.253.31.202)

Original Disposition:

Unknown

1 ACCEPTED SOLUTION

Accepted Solutions
Meraki-MX
Meraki Employee

Re: (Likely) False Positive from Advanced Malware Protection

Hello,

 

We apologize for the inconvenience.

 

The AMP Research and Efficacy Team (RET) are aware and currently investigating the issue. The immediate issue should be fixed now. The current hash is marked clean.

 

Thank you.

View solution in original post

12 REPLIES 12
Captain_Murphy
Conversationalist

Re: (Likely) False Positive from Advanced Malware Protection

I had this pop a few minutes ago. Based upon the URL, I would think it is a false positive as well.

jbright
Getting noticed

Re: (Likely) False Positive from Advanced Malware Protection

Ditto. I just saw this same alert from several customer networks.

 

Bruce
Kind of a big deal

Re: (Likely) False Positive from Advanced Malware Protection

Seeing the same thing here

JW2
New here

Re: (Likely) False Positive from Advanced Malware Protection

Same here.

npoles
New here

Re: (Likely) False Positive from Advanced Malware Protection

Same here.

It looks like there might be another for macOS updates too? I believe Apple pushed iOS, macOS, watchOS, and tvOS last night. 

 

File Hash:42d7434e105150eb67b63c695733710fb552b34de07c93f418814895e4144edd
File URI / Server IP:http://updates-http.cdn-apple.com/2020FallFCS/mobileassets/001-72438/F3289535-A95F-4A79-BE4E-7B78AA5... (17.253.125.204)
Original Disposition:Unknown
Bruce
Kind of a big deal

Re: (Likely) False Positive from Advanced Malware Protection

Talos has labelled one of my files with detection name

W32.42D7434E10-95.SBX.TG

My understanding this is due to a detonation being detected in a Threatgrid Sandbox - probably an automated response. Hopefully the human Talos team will get on top of this soon.  Hoping Apple hasn’t really resorted to pushing malware to take over the world 😀

UCcert
Kind of a big deal

Re: (Likely) False Positive from Advanced Malware Protection

Same here 

Darren O'Connor | uccert.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
Dave2000
Conversationalist

Re: (Likely) False Positive from Advanced Malware Protection

Same alert here. First odd thing was the alert was coming from one network and the device was located on a different network. The Ip address did not match that network segment. When I created a case the agent said it looks like a legit file, just disable AMP to download it... Wow... Just wow. 

nkm
New here

Re: (Likely) False Positive from Advanced Malware Protection

Just received reply from Cisco Rep

 

Yes, we have been reported that by our client its is Apple's new software update that is causing this alerts it is a false alarm. These alerts are been generated on devices that are on iOS 14.2

Dave2000
Conversationalist

Re: (Likely) False Positive from Advanced Malware Protection

My devices are on not 14.2

 

OS

Version
iOS 13.7
OS Build
17H35
skeenster
Just browsing

Re: (Likely) False Positive from Advanced Malware Protection

Got the same notification by email..  Must be a false positive?

Meraki-MX
Meraki Employee

Re: (Likely) False Positive from Advanced Malware Protection

Hello,

 

We apologize for the inconvenience.

 

The AMP Research and Efficacy Team (RET) are aware and currently investigating the issue. The immediate issue should be fixed now. The current hash is marked clean.

 

Thank you.

View solution in original post

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.