We have a MX84 that alerted this morning about a "Retrospective" File Disposition Change. The event in question appears to be an exe download:
am_base_07038dbbb574078315e3d4d6d8e45491a4db3bd0.exe
sha256: e9ab8d11545dbad0ebf6ef6a35750d7051b0af2e72ba1fd8d464203140bcb55f
...downloaded from an apparently legit Microsoft domain:
au.download.windowsupdate.com
I am unable to find any documentation detailing why this file is being flagged. The virustotal results look clean as well. Can anyone shed any light?
We are also starting to get hammered with this alert -- also looking into this now.
Have either of you reached out to support about it?
Support came back and just said "Because Talos determined it is malicious. You can whitelist the domain if you'd like."
While there is nothing technically wrong in that answer, it really isn't helpful. If Talos (and AMP by extension) is flagging false positives against Windows Update files, then that is a problem. Conversely, if MS is serving up malicious files, then that is also a problem.
Unfortunately, I do not have access to Talos Threat Grid to see anything further on this file.
Fully agree. Useless response by support.
Seeing the same thing, but for different file.
File Hash: | 03ac5722648be8b253a41ce1436da2c982d08e56cfc40f87147e81c03523f6b7 |
Download Info: | 2018-12-20 8:12 AM EST, by |
File URI / Server IP: | hxxp://3.au.download.windowsupdate.com/c/msdownload/update/software/defu/2018/12/am_delta_c011e84cd2dc0751e76cb81ec206f2cb78c4dcf6.exe (8.253.110.249) |
Original Disposition: | Unknown |