Security Center question MX64 with Adv Sec.- not sure where to post.

Peter_P
Here to help

Security Center question MX64 with Adv Sec.- not sure where to post.

My firewall keeps on getting trigged by Australia Perth Akamai Technologies Inc on brand new machine that I've just set up for a client. I installed Norton on that machine as per client request.

Does anyone know if this is a real attack? 

 

Here's the threat:

 

INDICATOR-COMPROMISEContent-Type text/plain containing Portable Executable data

 

Thank you.

P

 

5 REPLIES 5
DarrenOC
Kind of a big deal
Kind of a big deal

if It is a real attack at least you know the MX is doing its job in blocking and letting you know!

 

 

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
CptnCrnch
Kind of a big deal
Kind of a big deal

Let's take a look what this message is: https://www.snort.org/rule_docs/1-38619

 

"This event is generated when a Content-Type header reports plaintext, but there is Portable Executable data detected."

 

It's rather unusual for a file pretending to be plaintext but to be executable at the same time. There's a relatively high probability that this was a real attack, but to be sure, one would have to investigate further.

 

You can get further information at https://www.virustotal.com/gui/file/fc25709c4e05dbfbcc6ae0cf8a7c06e80156ae05179203021838259aeda9801a...

Totally agree!

Will have to have a dig and look for the files listed on that site. I was wondering if anyone else came across this one..

What is great about the community...you can always learn!  Thank you for the post, great knowing how to get more details on the alert from snort.org

Yes, MX is doing great! Just not about the attack given it comes from static IP of Security/Cloud company Acamai
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels