Meraki MX False Positive IDS Events in syslog

HScar
Here to help

Meraki MX False Positive IDS Events in syslog

Hi,

 

I'm trying to investigate what are most likely false positive IDS events that are being outputted by our MX via syslog. Here's an example of one:

 

MX100 security_event security_filtering_file_scanned url=http://download.windowsupdate.com/c/msdownload/update/others/2022/02/36119907_fbffd9be78a28e77092640722a86ff95490d20b4.cab src=XX dst=XX mac=XX name='' sha256=6f8fd79ae33f21e589f4d02fdecbc9ee547c079fecc31672a0de8b12f2b05a47 disposition=malicious action=block

 

The SHA256 turns up no hits on Virus Total and there are no reports of this showing up in the Event Log or the Security Center. This has been happening for sometime for us on various windows machines doing updates and I haven't been able to get to the bottom of it. Any help would be appreciated.

2 Replies 2
CptnCrnch
Kind of a big deal
Kind of a big deal

Meraki is simply taking its information coming from Cisco Talos where that particular file was inspected (probably) by their Sandbox solution that found it to be malicious.

 

Your best option here is to get in touch with Meraki Support to have that thing sorted out. If you really sure that this is a false positive, you could also put the SHA256 hash of that file on the Allow list: https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Threat_Protection#Allow_...

The confusing part for me is why these events are showing up in syslog, but not the Meraki dashboard's event log or Security Events. There are dozens of these events that come up each month. I'd prefer not to add these hashes all the time. I've tried whitelisting the download.windowsupdate.com domain and they still show up in syslog.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels