Meraki Community

We are getting a ton of these alerts as well.  

I just attempted to post about this and Meraki marked it SPAM. We are seeing thousands of these notification (over 9000 at time of writing). Our alerts started at 10:28 AM Eastern on 4/13/2023. 

File SHA256 hash: 975c0d48c41d2ad76a242d5f7270f4bf8063bb9c753b375ab2c47c9e2060f562

Same here.  1000+ alerts at the time of writing.

Yeah, seeing lots of this from multiple MX networks. Virus Total does not show any vendors identifying it as malicious.

I notice the following relating to the file in Securtiy Centre:

downloaded from [http://tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/3d3c4265-57fd-450e-9bda-9fb5f4612........ So it's come from microsoft.com 

Feels like a false positive I'd say

yep received the same alert

We are seeing it also. All sites with Meraki's MX67 and MX84

Seeing this problem on MXs too.

All seems to source from Microsoft.

Nothing on VT suggesting it's malicious.

Talos website suggests low potential for malice.

Nothing in ThreatGrid yet to sandbox it.

Same here- certainly appears to be a false positive. 

Same thing reached out to Meraki tech support... waiting for them revert us back with proper explanation. 

New to the company and I received this alert and immediately scared me. Then I saw it originated from Microsoft and did a little googling and found this thread. Phew

Security Center False Positive Alert - April 13th 2023 - The Meraki Community

Glad we can all collaborate and compare so quickly in the Community. Great relief!

Just had an additional file start popping up. 

URL root is: 1d.tlu.dl.delivery.mp.microsoft.com

File: W32.0E9CF9601C.RET.SBX.TG

SHA256: 0e9cf9601c14abd31bb02adfa0986ceb78af596cbd991e6cad89fe80ea959abd

Yes, I'm seeing it also.  

Follow along on this thread for updates: https://community.meraki.com/t5/Meraki-Service-Notices/Security-Center-False-Positive-Alert-April-13...

This one too

8dea8123-fd8f-492c-9c2d-7cdfab740447

Saw this too on multiple customers. None of our AVs have found anything malicious that would relate to this alert from Meraki.

This is not new believe it or not.  These windows updates have been reported months ago to Meraki. I have an open ticket from months ago trying to figure this out.  Meraki on the backend is reporting these as malware, but it wasnt being reported to the dashboard and/or email alerts.  Something changed today and now its actually reporting so I might finally have some resolution to my open ticket.

How I discovered the problem is that I enabled syslog logging and sent all my logs to papertrail.  I then setup an alert on when malware was downloaded and I kept getting these alerts in papertrail.  Heres the original ticket. 

There was never a resolution, meraki support could not help and they said their backend team was involved with the case.  I was never able to forcibly recreate the issue, so they were never able to resolve it.  This was happening across many clients with the same error/issue.

Heres a sample from 2 days ago from my papertrail app that went unreported to the dashboard and/or email alert.

Apr 11 10:20:04 98.151.19.171 logger <134>1 1681244404.194824387 OLGC_Firewall security_event security_filtering_file_scanned url=http://1d.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/ade20ec6-c563-480b-ad73-40580d...?P1=1681245007&amp;P2=404&amp;P3=2&amp;P4=X4AhVcAJt9jaRV%2fQCoOfA68Y3tgXZY4Hhvr8JWM6pe5%2fEIEDZAOWhdj0CK60cr4uGAgFEfe0%2b5r5q7kjJ%2foh3w%3d%3d src=192.168.1.192:54486 dst=209.197.3.8:80 mac=30:D1:6B:F1:7E:E7 name='' sha256=fc46caae796a5bfe5eb2a814d8f97fc91e6f710f68ca00832ccd7171fb550151 disposition=malicious action=block

I think my issue might finally get resolved now that its reporting to the dashboard and/or email alerts and its widespread.

Ya looking at the timeline in my security tools on one of the devices supposedly affected there is nothing going on except for attempts at windows updates.

so unless MS is compromised this is almost certainly a false positive 

Where did my post go?

Here's what we got from Meraki Support:

Greetings,

Thank you for contacting Cisco Meraki Technical Support.

I would like to inform you that we are aware of the recent issue where a Microsoft update is being flagged as malicious by the AMP service on the MX platform. Our development team has been alerted and is currently investigating the matter. For updates on the progress of the investigation, please refer to this link: https://community.meraki.com/t5/Security-SD-WAN/MX-Malware-Blocking/m-p/191266#M44553. We will keep this thread updated as soon as we have more information on whether this is a false positive or not.



Thanks,

Jason Wu
Cisco Meraki Technical Support

.

Had thousands of these this morning. Every Windows machine sending through the firewall.

We're still incrementing

We are now getting a new alert for the below file. Anybody else?

Source Location: b.c2r.ts.cdn.office.net

File: i640.c2rx (W32.7B9E2002CA.RET.SBX.TG)

SHA256: 7b9e2002cacef4817353464f9845e294845daef8b28adeab55e76b3c8278ff18

Wanted to follow up here to see if others are experiencing the same thing we are. (tagging @ConnorL from Meraki)

Meraki marked the issue as "Resolved" on this post [RESOLVED] Security Center False Positive Alert - April 13th 2023 - The Meraki Community

However, we have had a total of 3 files that triggered Malware alerts today. So far 2 of the 3 are showing as "Clean" in the dashboard. 

Ultimately, I'm trying to determine if this "resolution" is for all of the files or just the two currently marked as "clean"?

File 1: [CLEAN] W32.7F4CBDDDA2.RET.SBX.TG - 7f4cbddda24faf170473706c062c8957d6bb422b285013c932c61e8dd4efb381

File 2: [MALICIOUS] W32.0E9CF9601C.RET.SBX.TG -  0e9cf9601c14abd31bb02adfa0986ceb78af596cbd991e6cad89fe80ea959abd

File 3: [CLEAN] i640.c2rx (W32.7B9E2002CA.RET.SBX.TG) -- 7b9e2002cacef4817353464f9845e294845daef8b28adeab55e76b3c8278ff18

Yep. It went completely retrospectively clean. It's a good day after all.