W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

SOLVED
calebbaker
Here to help

W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Getting THOUSANDS of alerts for this at the moment (SHA256: 779c90c974a4f1d927070cbff0d17f5d1daf7bd631603530a408c15ba7bd534b ).

 

Seems like a recent update to the Microsoft store Windows 10 app is being incorrectly flagged by AMP.

 

On hold with support now, anyone else seeing the same?

1 ACCEPTED SOLUTION
Raj66
Meraki Employee

Hello all,

 

This should be resolved now. The file has been mistakenly categorized as malicious causing this to fail. File deposition has been changed. We are truly sorry for the inconvenience. If the updates are failed, please go ahead and try again, they should go through now.

 

As of now, this is only related to Microsoft files. if you are also seeing issues with Adobe files or any other files. They should be considered as a different issue and please open a ticket with Meraki support for further investigation.

 

Regards,

 

Raj

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it

View solution in original post

56 REPLIES 56
JackTheRipper
New here

Only 480 events in the last hour from my network on the first email.  I called support and they were about worthless until I got to the supervisor.  I also emailed my sales person and the vendor I purchase it through.

 

8/1/2019 17:32File Scannedhttphttp://11.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/65cc1083-07ec-42e5-b5dd-a39191...72.21.81.24080779c90c974a4f1d927070cbff0d17f5d1daf7bd631603530a408c15ba7bd534bZIP691677MaliciousBlocked

Same here, getting a couple hundred alerts. 

Yep - I am seeing this as well.  I shut down the port the flagged pc is on but don't know the extent of what else this is.  Is this really a windows 10 update to the store?????

ivanavich
Conversationalist

Yep receiving quite a few warnings through MX with the same hash.

 

SHA256: 779c90c974a4f1d927070cbff0d17f5d1daf7bd631603530a408c15ba7bd534b
Disposition: Malicious
Type: ZIP
Size: 691.7 kB
wey2go
Getting noticed

Yep, got inundated with warnings from all my sites.

Aaron
Conversationalist

Getting the same here from multiple networks and machines.

 

Almost certainly a false positive from AMP - Unless somebody snuck something onto the store and AMP is the first to pick up on it.

 

Does anybody have a copy of the file?

 

VirusTotal has it at 0/56: https://www.virustotal.com/gui/file/779c90c974a4f1d927070cbff0d17f5d1daf7bd631603530a408c15ba7bd534b...

wey2go
Getting noticed

Any idea of the filename and location on a PC? I should be able to get the file if I know exactly which file.

Looks like the file names are 

  • Microsoft.VCLibs.140.00_14.0.27323.0_x86__8wekyb3d8bbwe.Appx
  • Microsoft.VCLibs.x86.14.00.appx

Seems to be in the Program Files for Adobe

 

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader

This looks like a false positive.

This is a Win X Application Package.

One on my computer is there, scanned with A/V nothing, modified back in March...

Could be part of an update, which would explain why we're getting a lot of these alerts at this time.

Aaron
Conversationalist

Gryffindor - I see that filename in that directory, but on my system the hash (and last modified date) doesn't match that of the AMP reported hash.

AndrewPokha
Conversationalist

I have the same result.

Copied the file from one of the clients flagged by Meraki.

And the hash doesn't match the threat hash...

The hash of a binary file on disk won't necessarily match the hash Meraki sees, because Meraki sees the hash in the HTTP stream which is encoded (and possibly compressed).

Yeah i checked VirusTotal also - very odd - sure hope its a false positive.

Gryffindor
Here to help

We are getting slammed with this as well.

M3rak1
New here

getting hammered with these as well. Anyone got anything from support yet?

Captain_Murphy
Here to help

Undoubtedly a sophisticated new version of ransomware that is spreading throughout all Amp networks. Perfect for how I wanted to spend my night, looking up info on my networks spamming false positives.

Maybe Microsoft infected a malware with Windows 10 to slow it down?

CamG
Here to help

Logged a case a few mins ago and called account rep in Aus who was at HQ with head of support. They will update me soon and I'll post here.

Davederb
Conversationalist

I opened a ticket as well and the tech rep said they were aware of the issue and working with engineering on resolving it

Tracert
New here

For the longest time I've been telling everyone that Windows is just one giant useful virus.

 

Glad to finally get verification.

merakiman1
Conversationalist

I just got off the phone with support who said they are getting tons of calls about this, but are 100% sure it is a false positive and they have escalated internally to get it addressed so it stops flagging.

cb123
Conversationalist

I've been cross checking related computers and network in Umbrella and not seeing anything, has to be a false positive I hope

Tracert
New here

Also, Is anyone else noticing that the timestamp is not todays date?

nei_it_dept
Conversationalist

Same Same, getting lots of flags and retroactive flags. 

mladdy
New here

We're seeing this too.

 

Rapid 7 hasn't reported to us and Umbrella is showing nothing.

 

I'm with everyone else and hope it's a false positive! 

Jameson
Conversationalist

Just Got off the phone with Meraki Support.

Representative said that it was a False Positive and AMP was blocking windows updates. Engineering was working to get it resolved. I had already opened a ticket so he posted the below information to the ticket and said the ticket would be updated when engineering had more information.

PROBLEMS DISCUSSED:
- AMP blocking Windows update.

------------------------
ACTIONS TAKEN:
- File in question: W32.779C90C974-100.SBX.TG

------------------------
NEXT STEPS:
- Further investigate this malicious activity.
- Keep the customer posted with updates.

 

 

[Mod note 1 August: Marking as solution for greater visibility!]

[Mod note 2 August: Un-marking as solution now that we have an update from Raj at Meraki]

Thank you for this!

Yes - we did get alerts from our 120+ MX sites, I also remember this is not the first time AMP has incorrectly flagged Microsoft updates.

Dave
Getting noticed

I got it too.  Thanks for the info on it. 

 

Raj66
Meraki Employee

Hello all,

 

This should be resolved now. The file has been mistakenly categorized as malicious causing this to fail. File deposition has been changed. We are truly sorry for the inconvenience. If the updates are failed, please go ahead and try again, they should go through now.

 

As of now, this is only related to Microsoft files. if you are also seeing issues with Adobe files or any other files. They should be considered as a different issue and please open a ticket with Meraki support for further investigation.

 

Regards,

 

Raj

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it

View solution in original post

Thanks. Does this also apply to the Adobe issue? Or just the Microsoft issue?

At this moment. This is only in regards to Microsoft updates. Please open a ticket with meraki support if you are also having issues with Adobe files for further investigation.

 

Thanks and regards!

 

Raj

 

 

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it

At this moment. This is only in regards to Microsoft updates. Please open a ticket with Meraki support if you are also having issues with Adobe files for further investigation.

 

Thanks and regards!

 

Raj

 

 

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it

I have also received numerous alerts from the Adobe files mentioned by calebbaker. Can you confirm if the file desposition has been updated for this as well?

 

Detection: W32.7B512B45B6-100.SBX.TG

eutl12.acrobatsecuritysettings (SHA256: 7b512b45b6903b562e7f52b04a7715c05f0bb0cfc42438d6f1f2cdbb32124ac6)

 

The adobe files, I can’t help with checking the disposition on those.  (Sorry).  You’d likely have to contact Meraki Support.

Adobe files are no longer showing for me as Disposition changed.

 

Seem to be all good on both.

You are right. Seems everything is okay now.

Great!
Dave2000
Conversationalist

Here we go, round 2; 10 hours after @Raj66  declares it solved. 

 

Only 25 emails this time though.

Raj66
Meraki Employee

Hello @Dave2000 I am sorry to hear that. Is it the same update that is getting blocked again? Would you mind opening a support ticket for further investigation? 

 

Cheers!

 

Raj

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it
Dave2000
Conversationalist

I still have one open from last night as well I can update
Dave2000
Conversationalist

@Raj66 updated my ticket. I am sure the support guy Indy Cao is thrilled to see it still happening. 

We're getting these as well on our FTD VPN FWs with AMP

 

<*- Network Based Malware From "VPN-FTD01" at Mon Aug  5 20:31:33 2019 UTC -*>

Sha256: 7b512b45b6903b562e7f52b04a7715c05f0bb0cfc42438d6f1f2cdbb32124ac6 Disposition: Malware Threat name: W32.7B512B45B6-100.SBX.TG IP Addresses: x.x.x.x<-23.204.228.68

 

 

However Talos shows it as clean...

Is there a report available detailing this issue and what has been put in place to prevent this from happening again? Looking for something to send out to our clients detailing this false positive.

Dave2000
Conversationalist

@Josh214 It is rather unlikely there is a report yet. Despite the thread indication it is "solved", I still have 2 open cases with support. 

In my case - this was partly due to a setting (my issue was with AMP on ASA firewalls but similar database) was that in the management console for the file policy you can tell it to override Talo's disposition based on the ThreatGrid score.  TAC said because the way the update file works it is capable of being malicious so it gives it a very high threat score. In our case, we told our appliances to mark it as malware if the threat score was Very High.  Not sure if this is relatable to you guys but wanted to mention it

Heads up, just got a blockage for another update. 

 

W32.B8E3DD9E82-95.SBX.TG

Heads up, we just got a blockage for another update

 

W32.B8E3DD9E82-95.SBX.TG
ChrisBarnes
Here to help

Ooof... nothing like a Thursday night fire drill!

 

Thanks to Meraki Support who took my call. Will watch for updates on my case.

FOriginal
New here

Same thing over here...

Timon
New here

Thanks for information!!!

ChrisBarnes
Here to help

Update: overnight I began getting these for Adobe as well. There's no update on my support case.

 

Has anyone heard back from Meraki Support on what's happening here? Last I heard they were investigating and the comment here marked as "Solved" implies the same. 

 

Thanks.

Yes, also seeing Adobe file being reported here.

 

2 Different Files:

eutl12.acrobatsecuritysettings (SHA256: 7b512b45b6903b562e7f52b04a7715c05f0bb0cfc42438d6f1f2cdbb32124ac6)

eutl11.acrobatsecuritysettings (SHA256: 3ed06a6ff00c0015e85609f509b11c3cdf0ab9991d74b1d44daab7c264fd99d9)

 

No hits for these on VirusTotal, coming from an Akamai server with an Adobe URL, so pretty confident this is false positive as well.

 

My feedback from support was that Engineering was aware of the issue, and I would get an update when it was resolved. I've not gotten an update yet and still seeing blocks for the original Microsoft file. So seems like original issue is still ongoing.

 

I've whitelisted the SHA256 in AMP in most of my sites, and that clears up the alert issue.

BeckerIT
Here to help

I'm getting slammed with alerts as well. Opened a support case with meraki, and it appears to be a false positive.
NetworkGuy9
Conversationalist

Got this too last night. Good to know that it was a false-positive.

merakiman1
Conversationalist

@calebbaker @SEC_ST 

 

I spoke to Meraki support regarding eutl12.acrobatsecuritysettings (SHA256: 7b512b45b6903b562e7f52b04a7715c05f0bb0cfc42438d6f1f2cdbb32124ac6) and they advised this is also a false positive - most likely due to outdated MX software. Check your MX version and see what you find there.

Um... well... we're on 15.14. Although 15.15 is out 15.14 is still pretty darn new!

Thanks for the update either way... I'll ignore the Adobe stuff from last night.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels