- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MX Malware Blocking
Is anyone else seeing large amount of Malware blocking on their MX?
W32.975C0D48C4.RET.SBX.TG
ArchiveFile
Is this a false positive related to Microsoft ?
- Labels:
-
Firewall
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am seeing it too. I believe it is a false positive - but not my call of course.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are getting a ton of these alerts as well.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just attempted to post about this and Meraki marked it SPAM. We are seeing thousands of these notification (over 9000 at time of writing). Our alerts started at 10:28 AM Eastern on 4/13/2023.
File SHA256 hash: 975c0d48c41d2ad76a242d5f7270f4bf8063bb9c753b375ab2c47c9e2060f562
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are now getting an additional file marked with different hashes. Also from [3-11].tlu.dl.delivery.mp.microsoft.com
W32.7F4CBDDDA2.RET.SBX.TG - SHA256: 7f4cbddda24faf170473706c062c8957d6bb422b285013c932c61e8dd4efb381
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Same here. 1000+ alerts at the time of writing.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah, seeing lots of this from multiple MX networks. Virus Total does not show any vendors identifying it as malicious.
I notice the following relating to the file in Securtiy Centre:
downloaded from [http://tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/3d3c4265-57fd-450e-9bda-9fb5f4612........ So it's come from microsoft.com
Feels like a false positive I'd say
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yep received the same alert
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are seeing it also. All sites with Meraki's MX67 and MX84
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Seeing this problem on MXs too.
All seems to source from Microsoft.
Nothing on VT suggesting it's malicious.
Talos website suggests low potential for malice.
Nothing in ThreatGrid yet to sandbox it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Same here- certainly appears to be a false positive.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Same thing reached out to Meraki tech support... waiting for them revert us back with proper explanation.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please keep us updated
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sure thing normally it would take one business day for them to revert back
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
New to the company and I received this alert and immediately scared me. Then I saw it originated from Microsoft and did a little googling and found this thread. Phew
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Getting that alert saying 100s or 1000s of possible malicious downloads is certainly panic-inducing!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Indeed at this point we are so fed up with those email that we took ourselves out from that specific email list. LOL
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Glad we can all collaborate and compare so quickly in the Community. Great relief!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just had an additional file start popping up.
URL root is: 1d.tlu.dl.delivery.mp.microsoft.com
File: W32.0E9CF9601C.RET.SBX.TG
SHA256: 0e9cf9601c14abd31bb02adfa0986ceb78af596cbd991e6cad89fe80ea959abd
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I'm seeing it also.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Follow along on this thread for updates: https://community.meraki.com/t5/Meraki-Service-Notices/Security-Center-False-Positive-Alert-April-13...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This one too
8dea8123-fd8f-492c-9c2d-7cdfab740447
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Saw this too on multiple customers. None of our AVs have found anything malicious that would relate to this alert from Meraki.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is not new believe it or not. These windows updates have been reported months ago to Meraki. I have an open ticket from months ago trying to figure this out. Meraki on the backend is reporting these as malware, but it wasnt being reported to the dashboard and/or email alerts. Something changed today and now its actually reporting so I might finally have some resolution to my open ticket.
How I discovered the problem is that I enabled syslog logging and sent all my logs to papertrail. I then setup an alert on when malware was downloaded and I kept getting these alerts in papertrail. Heres the original ticket.
There was never a resolution, meraki support could not help and they said their backend team was involved with the case. I was never able to forcibly recreate the issue, so they were never able to resolve it. This was happening across many clients with the same error/issue.
Heres a sample from 2 days ago from my papertrail app that went unreported to the dashboard and/or email alert.
Apr 11 10:20:04 98.151.19.171 logger <134>1 1681244404.194824387 OLGC_Firewall security_event security_filtering_file_scanned url=http://1d.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/ade20ec6-c563-480b-ad73-40580d...?P1=1681245007&P2=404&P3=2&P4=X4AhVcAJt9jaRV%2fQCoOfA68Y3tgXZY4Hhvr8JWM6pe5%2fEIEDZAOWhdj0CK60cr4uGAgFEfe0%2b5r5q7kjJ%2foh3w%3d%3d src=192.168.1.192:54486 dst=209.197.3.8:80 mac=30:D1:6B:F1:7E:E7 name='' sha256=fc46caae796a5bfe5eb2a814d8f97fc91e6f710f68ca00832ccd7171fb550151 disposition=malicious action=block
I think my issue might finally get resolved now that its reporting to the dashboard and/or email alerts and its widespread.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ya looking at the timeline in my security tools on one of the devices supposedly affected there is nothing going on except for attempts at windows updates.
so unless MS is compromised this is almost certainly a false positive
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Where did my post go?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is not new believe it or not. These windows updates have been reported months ago to Meraki. I have an open ticket from months ago trying to figure this out. Meraki on the backend is reporting these as malware, but it wasnt being reported to the dashboard and/or email alerts. Something changed today and now its actually reporting so I might finally have some resolution to my open ticket.
How I discovered the problem is that I enabled syslog logging and sent all my logs to papertrail. I then setup an alert on when malware was downloaded and I kept getting these alerts in papertrail. Heres the original ticket.
There was never a resolution, meraki support could not help and they said their backend team was involved with the case. I was never able to forcibly recreate the issue, so they were never able to resolve it. This was happening across many clients with the same error/issue.
Heres a sample from 2 days ago from my papertrail app that went unreported to the dashboard and/or email alert.
Apr 11 10:20:04 98.151.25.111 logger <134>1 1681244404.194824387 Firewall security_event security_filtering_file_scanned url=http://1d.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/ade20ec6-c563-480b-ad73-40580d...?P1=1681245007&P2=404&P3=2&P4=X4AhVcAJt9jaRV%2fQCoOfA68Y3tgXZY4Hhvr8JWM6pe5%2fEIEDZAOWhdj0CK60cr4uGAgFEfe0%2b5r5q7kjJ%2foh3w%3d%3d src=192.168.1.192:54486 dst=209.197.3.8:80 mac=30:D1:6B:F1:7E:E7 name='' sha256=fc46caae796a5bfe5eb2a814d8f97fc91e6f710f68ca00832ccd7171fb550151 disposition=malicious action=block
I think my issue might finally get resolved now that its reporting to the dashboard and/or email alerts and its widespread.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here's what we got from Meraki Support:
Greetings,
Thank you for contacting Cisco Meraki Technical Support.
I would like to inform you that we are aware of the recent issue where a Microsoft update is being flagged as malicious by the AMP service on the MX platform. Our development team has been alerted and is currently investigating the matter. For updates on the progress of the investigation, please refer to this link: https://community.meraki.com/t5/Security-SD-WAN/MX-Malware-Blocking/m-p/191266#M44553. We will keep this thread updated as soon as we have more information on whether this is a false positive or not.
Thanks,
Jason Wu
Cisco Meraki Technical Support
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That one is from 2019.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Had thousands of these this morning. Every Windows machine sending through the firewall.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We're still incrementing
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are now getting a new alert for the below file. Anybody else?
Source Location: b.c2r.ts.cdn.office.net
File: i640.c2rx (W32.7B9E2002CA.RET.SBX.TG)
SHA256: 7b9e2002cacef4817353464f9845e294845daef8b28adeab55e76b3c8278ff18
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Same here Jameson
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are also following this new issue on this post: 2nd Malware Detected - i640.c2rx - The Meraki Community
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wanted to follow up here to see if others are experiencing the same thing we are. (tagging @ConnorL from Meraki)
Meraki marked the issue as "Resolved" on this post [RESOLVED] Security Center False Positive Alert - April 13th 2023 - The Meraki Community
However, we have had a total of 3 files that triggered Malware alerts today. So far 2 of the 3 are showing as "Clean" in the dashboard.
Ultimately, I'm trying to determine if this "resolution" is for all of the files or just the two currently marked as "clean"?
File 1: [CLEAN] W32.7F4CBDDDA2.RET.SBX.TG - 7f4cbddda24faf170473706c062c8957d6bb422b285013c932c61e8dd4efb381
File 2: [MALICIOUS] W32.0E9CF9601C.RET.SBX.TG - 0e9cf9601c14abd31bb02adfa0986ceb78af596cbd991e6cad89fe80ea959abd
File 3: [CLEAN] i640.c2rx (W32.7B9E2002CA.RET.SBX.TG) -- 7b9e2002cacef4817353464f9845e294845daef8b28adeab55e76b3c8278ff18
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Following up.. All 3 files are now marked as clean and have fallen out of my alerts. For me, this issue appears to be completed "resolved".
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yep. It went completely retrospectively clean. It's a good day after all.