cancel
Showing results for 
Search instead for 
Did you mean: 

W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

SOLVED
Here to help

W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Getting THOUSANDS of alerts for this at the moment (SHA256: 779c90c974a4f1d927070cbff0d17f5d1daf7bd631603530a408c15ba7bd534b ).

 

Seems like a recent update to the Microsoft store Windows 10 app is being incorrectly flagged by AMP.

 

On hold with support now, anyone else seeing the same?

1 ACCEPTED SOLUTION

Accepted Solutions
Meraki Employee

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Hello all,

 

This should be resolved now. The file has been mistakenly categorized as malicious causing this to fail. File deposition has been changed. We are truly sorry for the inconvenience. If the updates are failed, please go ahead and try again, they should go through now.

 

As of now, this is only related to Microsoft files. if you are also seeing issues with Adobe files or any other files. They should be considered as a different issue and please open a ticket with Meraki support for further investigation.

 

Regards,

 

Raj

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it
54 REPLIES 54
New here

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Only 480 events in the last hour from my network on the first email.  I called support and they were about worthless until I got to the supervisor.  I also emailed my sales person and the vendor I purchase it through.

 

8/1/2019 17:32File Scannedhttphttp://11.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/65cc1083-07ec-42e5-b5dd-a39191...72.21.81.24080779c90c974a4f1d927070cbff0d17f5d1daf7bd631603530a408c15ba7bd534bZIP691677MaliciousBlocked
New here

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Same here, getting a couple hundred alerts. 

New here

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Yep receiving quite a few warnings through MX with the same hash.

 

SHA256: 779c90c974a4f1d927070cbff0d17f5d1daf7bd631603530a408c15ba7bd534b
Disposition: Malicious
Type: ZIP
Size: 691.7 kB
Conversationalist

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Yep - I am seeing this as well.  I shut down the port the flagged pc is on but don't know the extent of what else this is.  Is this really a windows 10 update to the store?????

Getting noticed

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Yep, got inundated with warnings from all my sites.

Conversationalist

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Getting the same here from multiple networks and machines.

 

Almost certainly a false positive from AMP - Unless somebody snuck something onto the store and AMP is the first to pick up on it.

 

Does anybody have a copy of the file?

 

VirusTotal has it at 0/56: https://www.virustotal.com/gui/file/779c90c974a4f1d927070cbff0d17f5d1daf7bd631603530a408c15ba7bd534b...

Conversationalist

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

We are getting slammed with this as well.

Getting noticed

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Any idea of the filename and location on a PC? I should be able to get the file if I know exactly which file.

Conversationalist

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Yeah i checked VirusTotal also - very odd - sure hope its a false positive.

Conversationalist

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Looks like the file names are 

  • Microsoft.VCLibs.140.00_14.0.27323.0_x86__8wekyb3d8bbwe.Appx
  • Microsoft.VCLibs.x86.14.00.appx

Seems to be in the Program Files for Adobe

 

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader

Conversationalist

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

This looks like a false positive.

This is a Win X Application Package.

One on my computer is there, scanned with A/V nothing, modified back in March...

Could be part of an update, which would explain why we're getting a lot of these alerts at this time.

New here

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

getting hammered with these as well. Anyone got anything from support yet?

New here

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Undoubtedly a sophisticated new version of ransomware that is spreading throughout all Amp networks. Perfect for how I wanted to spend my night, looking up info on my networks spamming false positives.

Kind of a big deal

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Maybe Microsoft infected a malware with Windows 10 to slow it down?

Conversationalist

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Gryffindor - I see that filename in that directory, but on my system the hash (and last modified date) doesn't match that of the AMP reported hash.

New here

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Logged a case a few mins ago and called account rep in Aus who was at HQ with head of support. They will update me soon and I'll post here.

Conversationalist

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

I opened a ticket as well and the tech rep said they were aware of the issue and working with engineering on resolving it

New here

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

For the longest time I've been telling everyone that Windows is just one giant useful virus.

 

Glad to finally get verification.

Highlighted
Conversationalist

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

I just got off the phone with support who said they are getting tons of calls about this, but are 100% sure it is a false positive and they have escalated internally to get it addressed so it stops flagging.

Conversationalist

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

I've been cross checking related computers and network in Umbrella and not seeing anything, has to be a false positive I hope

Conversationalist

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

I have the same result.

Copied the file from one of the clients flagged by Meraki.

And the hash doesn't match the threat hash...

New here

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Also, Is anyone else noticing that the timestamp is not todays date?

Conversationalist

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Same Same, getting lots of flags and retroactive flags. 

New here

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

We're seeing this too.

 

Rapid 7 hasn't reported to us and Umbrella is showing nothing.

 

I'm with everyone else and hope it's a false positive! 

Here to help

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

The hash of a binary file on disk won't necessarily match the hash Meraki sees, because Meraki sees the hash in the HTTP stream which is encoded (and possibly compressed).

Conversationalist

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Just Got off the phone with Meraki Support.

Representative said that it was a False Positive and AMP was blocking windows updates. Engineering was working to get it resolved. I had already opened a ticket so he posted the below information to the ticket and said the ticket would be updated when engineering had more information.

PROBLEMS DISCUSSED:
- AMP blocking Windows update.

------------------------
ACTIONS TAKEN:
- File in question: W32.779C90C974-100.SBX.TG

------------------------
NEXT STEPS:
- Further investigate this malicious activity.
- Keep the customer posted with updates.

 

 

[Mod note 1 August: Marking as solution for greater visibility!]

[Mod note 2 August: Un-marking as solution now that we have an update from Raj at Meraki]

Conversationalist

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Ooof... nothing like a Thursday night fire drill!

 

Thanks to Meraki Support who took my call. Will watch for updates on my case.

New here

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Same thing over here...

New here

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Thank you for this!
New here

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Thanks for information!!!

Conversationalist

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Update: overnight I began getting these for Adobe as well. There's no update on my support case.

 

Has anyone heard back from Meraki Support on what's happening here? Last I heard they were investigating and the comment here marked as "Solved" implies the same. 

 

Thanks.

Here to help

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Yes, also seeing Adobe file being reported here.

 

2 Different Files:

eutl12.acrobatsecuritysettings (SHA256: 7b512b45b6903b562e7f52b04a7715c05f0bb0cfc42438d6f1f2cdbb32124ac6)

eutl11.acrobatsecuritysettings (SHA256: 3ed06a6ff00c0015e85609f509b11c3cdf0ab9991d74b1d44daab7c264fd99d9)

 

No hits for these on VirusTotal, coming from an Akamai server with an Adobe URL, so pretty confident this is false positive as well.

 

My feedback from support was that Engineering was aware of the issue, and I would get an update when it was resolved. I've not gotten an update yet and still seeing blocks for the original Microsoft file. So seems like original issue is still ongoing.

 

I've whitelisted the SHA256 in AMP in most of my sites, and that clears up the alert issue.

Here to help

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Yes - we did get alerts from our 120+ MX sites, I also remember this is not the first time AMP has incorrectly flagged Microsoft updates.

Here to help

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

I'm getting slammed with alerts as well. Opened a support case with meraki, and it appears to be a false positive.
Getting noticed

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

I got it too.  Thanks for the info on it. 

 

New here

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Got this too last night. Good to know that it was a false-positive.

Meraki Employee

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Hello all,

 

This should be resolved now. The file has been mistakenly categorized as malicious causing this to fail. File deposition has been changed. We are truly sorry for the inconvenience. If the updates are failed, please go ahead and try again, they should go through now.

 

As of now, this is only related to Microsoft files. if you are also seeing issues with Adobe files or any other files. They should be considered as a different issue and please open a ticket with Meraki support for further investigation.

 

Regards,

 

Raj

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it
Conversationalist

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Thanks. Does this also apply to the Adobe issue? Or just the Microsoft issue?

New here

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

I have also received numerous alerts from the Adobe files mentioned by calebbaker. Can you confirm if the file desposition has been updated for this as well?

 

Detection: W32.7B512B45B6-100.SBX.TG

eutl12.acrobatsecuritysettings (SHA256: 7b512b45b6903b562e7f52b04a7715c05f0bb0cfc42438d6f1f2cdbb32124ac6)

 

Here to help

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

The adobe files, I can’t help with checking the disposition on those.  (Sorry).  You’d likely have to contact Meraki Support.

Here to help

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Adobe files are no longer showing for me as Disposition changed.

 

Seem to be all good on both.

Meraki Employee

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

At this moment. This is only in regards to Microsoft updates. Please open a ticket with meraki support if you are also having issues with Adobe files for further investigation.

 

Thanks and regards!

 

Raj

 

 

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it
Meraki Employee

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

At this moment. This is only in regards to Microsoft updates. Please open a ticket with Meraki support if you are also having issues with Adobe files for further investigation.

 

Thanks and regards!

 

Raj

 

 

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it
New here

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

You are right. Seems everything is okay now.

Great!
Conversationalist

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

@calebbaker @SEC_ST 

 

I spoke to Meraki support regarding eutl12.acrobatsecuritysettings (SHA256: 7b512b45b6903b562e7f52b04a7715c05f0bb0cfc42438d6f1f2cdbb32124ac6) and they advised this is also a false positive - most likely due to outdated MX software. Check your MX version and see what you find there.

Conversationalist

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Um... well... we're on 15.14. Although 15.15 is out 15.14 is still pretty darn new!

Thanks for the update either way... I'll ignore the Adobe stuff from last night.
Comes here often

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Here we go, round 2; 10 hours after @Raj66  declares it solved. 

 

Only 25 emails this time though.

Meraki Employee

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Hello @Dave2000 I am sorry to hear that. Is it the same update that is getting blocked again? Would you mind opening a support ticket for further investigation? 

 

Cheers!

 

Raj

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it
Comes here often

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

I still have one open from last night as well I can update
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.