Not sure if anyone else is seeing this, but we've started getting alerts in from multiple networks that the local MX AMP is flagging an Apple iOS update as malware retrospectively.
File Hash: | 6b9a47304497324fe40e3ccfba43bbb056c152500550849d1597fc47b4ebab35 (link) |
Download Info: | 2020-11-05 11:11 AM PST, by [EDACTED] |
File URI / Server IP: | http://updates-http.cdn-apple.com/2020FallFCS/mobileassets/001-62165/F4052D84-DC41-414E-90A4-7E6E971... (17.253.31.202) |
Original Disposition: | Unknown |
Solved! Go to solution.
Hello,
We apologize for the inconvenience.
The AMP Research and Efficacy Team (RET) are aware and currently investigating the issue. The immediate issue should be fixed now. The current hash is marked clean.
Thank you.
I had this pop a few minutes ago. Based upon the URL, I would think it is a false positive as well.
Ditto. I just saw this same alert from several customer networks.
Seeing the same thing here
Talos has labelled one of my files with detection name
W32.42D7434E10-95.SBX.TG |
My understanding this is due to a detonation being detected in a Threatgrid Sandbox - probably an automated response. Hopefully the human Talos team will get on top of this soon. Hoping Apple hasn’t really resorted to pushing malware to take over the world 😀
Same here.
Same here.
It looks like there might be another for macOS updates too? I believe Apple pushed iOS, macOS, watchOS, and tvOS last night.
File Hash: | 42d7434e105150eb67b63c695733710fb552b34de07c93f418814895e4144edd |
File URI / Server IP: | http://updates-http.cdn-apple.com/2020FallFCS/mobileassets/001-72438/F3289535-A95F-4A79-BE4E-7B78AA5... (17.253.125.204) |
Original Disposition: | Unknown |
Same here
Same alert here. First odd thing was the alert was coming from one network and the device was located on a different network. The Ip address did not match that network segment. When I created a case the agent said it looks like a legit file, just disable AMP to download it... Wow... Just wow.
Just received reply from Cisco Rep
Yes, we have been reported that by our client its is Apple's new software update that is causing this alerts it is a false alarm. These alerts are been generated on devices that are on iOS 14.2
My devices are on not 14.2
OS
Got the same notification by email.. Must be a false positive?
Hello,
We apologize for the inconvenience.
The AMP Research and Efficacy Team (RET) are aware and currently investigating the issue. The immediate issue should be fixed now. The current hash is marked clean.
Thank you.