Meraki

Community

New malware flagged from Windows Update downloads

Chris11
Conversationalist
‎Dec 20 2018 7:13 AM
‎Dec 20 2018 7:13 AM

New malware flagged from Windows Update downloads

We have a MX84 that alerted this morning about a "Retrospective" File Disposition Change.  The event in question appears to be an exe download:

 

am_base_07038dbbb574078315e3d4d6d8e45491a4db3bd0.exe

sha256: e9ab8d11545dbad0ebf6ef6a35750d7051b0af2e72ba1fd8d464203140bcb55f 

 

...downloaded from an apparently legit Microsoft domain:  

 

au.download.windowsupdate.com

 

I am unable to find any documentation detailing why this file is being flagged.  The virustotal results look clean as well.  Can anyone shed any light?

6 Replies 6
LV_MW_MSP
Getting noticed
‎Dec 20 2018 7:36 AM
‎Dec 20 2018 7:36 AM

We are also starting to get hammered with this alert -- also looking into this now.

0 Kudos
In response to LV_MW_MSP
MacuserJim
A model citizen
‎Dec 20 2018 8:25 AM
‎Dec 20 2018 8:25 AM

Have either of you reached out to support about it?

In response to MacuserJim
Chris11
Conversationalist
‎Dec 20 2018 11:14 AM
‎Dec 20 2018 11:14 AM

I have. When I hear back I will update here.
0 Kudos
In response to Chris11
Chris11
Conversationalist
‎Dec 20 2018 12:11 PM
‎Dec 20 2018 12:11 PM

Support came back and just said "Because Talos determined it is malicious.  You can whitelist the domain if you'd like." 

 

While there is nothing technically wrong in that answer, it really isn't helpful.  If Talos (and AMP by extension) is flagging false positives against Windows Update files, then that is a problem.  Conversely, if MS is serving up malicious files, then that is also a problem. 

 

Unfortunately, I do not have access to Talos Threat Grid to see anything further on this file.

In response to Chris11
vKohl
Conversationalist
‎Dec 20 2018 2:05 PM
‎Dec 20 2018 2:05 PM

Fully agree. Useless response by support.

0 Kudos
calebbaker
Here to help
‎Dec 20 2018 8:47 AM
‎Dec 20 2018 8:47 AM

Seeing the same thing, but for different file.

 

File Hash:

03ac5722648be8b253a41ce1436da2c982d08e56cfc40f87147e81c03523f6b7

Download Info:

2018-12-20 8:12 AM EST, by

File URI / Server IP:

hxxp://3.au.download.windowsupdate.com/c/msdownload/update/software/defu/2018/12/am_delta_c011e84cd2dc0751e76cb81ec206f2cb78c4dcf6.exe (8.253.110.249)

Original Disposition:

Unknown

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.