Same here, getting a couple hundred alerts. 

Yep - I am seeing this as well.  I shut down the port the flagged pc is on but don't know the extent of what else this is.  Is this really a windows 10 update to the store?????

Any idea of the filename and location on a PC? I should be able to get the file if I know exactly which file.

Looks like the file names are 

This looks like a false positive.

This is a Win X Application Package.

One on my computer is there, scanned with A/V nothing, modified back in March...

Could be part of an update, which would explain why we're getting a lot of these alerts at this time.

Gryffindor - I see that filename in that directory, but on my system the hash (and last modified date) doesn't match that of the AMP reported hash.

I have the same result.

Copied the file from one of the clients flagged by Meraki.

And the hash doesn't match the threat hash...

The hash of a binary file on disk won't necessarily match the hash Meraki sees, because Meraki sees the hash in the HTTP stream which is encoded (and possibly compressed).

Yeah i checked VirusTotal also - very odd - sure hope its a false positive.

Maybe Microsoft infected a malware with Windows 10 to slow it down?

I opened a ticket as well and the tech rep said they were aware of the issue and working with engineering on resolving it

Yes - we did get alerts from our 120+ MX sites, I also remember this is not the first time AMP has incorrectly flagged Microsoft updates.

I got it too.  Thanks for the info on it. 

Thanks. Does this also apply to the Adobe issue? Or just the Microsoft issue?

At this moment. This is only in regards to Microsoft updates. Please open a ticket with meraki support if you are also having issues with Adobe files for further investigation.

Thanks and regards!

Raj

At this moment. This is only in regards to Microsoft updates. Please open a ticket with Meraki support if you are also having issues with Adobe files for further investigation.

Thanks and regards!

Raj

I have also received numerous alerts from the Adobe files mentioned by calebbaker. Can you confirm if the file desposition has been updated for this as well?

Detection: W32.7B512B45B6-100.SBX.TG

eutl12.acrobatsecuritysettings (SHA256: 7b512b45b6903b562e7f52b04a7715c05f0bb0cfc42438d6f1f2cdbb32124ac6)

The adobe files, I can’t help with checking the disposition on those.  (Sorry).  You’d likely have to contact Meraki Support.

Adobe files are no longer showing for me as Disposition changed.

Seem to be all good on both.

Here we go, round 2; 10 hours after @Raj66  declares it solved. 

Only 25 emails this time though.

Hello @Dave2000 I am sorry to hear that. Is it the same update that is getting blocked again? Would you mind opening a support ticket for further investigation? 

Cheers!

Raj

@Raj66 updated my ticket. I am sure the support guy Indy Cao is thrilled to see it still happening. 

We're getting these as well on our FTD VPN FWs with AMP

<*- Network Based Malware From "VPN-FTD01" at Mon Aug  5 20:31:33 2019 UTC -*>

Sha256: 7b512b45b6903b562e7f52b04a7715c05f0bb0cfc42438d6f1f2cdbb32124ac6 Disposition: Malware Threat name: W32.7B512B45B6-100.SBX.TG IP Addresses: x.x.x.x<-23.204.228.68

However Talos shows it as clean...

Is there a report available detailing this issue and what has been put in place to prevent this from happening again? Looking for something to send out to our clients detailing this false positive.

@Josh214 It is rather unlikely there is a report yet. Despite the thread indication it is "solved", I still have 2 open cases with support. 

In my case - this was partly due to a setting (my issue was with AMP on ASA firewalls but similar database) was that in the management console for the file policy you can tell it to override Talo's disposition based on the ThreatGrid score.  TAC said because the way the update file works it is capable of being malicious so it gives it a very high threat score. In our case, we told our appliances to mark it as malware if the threat score was Very High.  Not sure if this is relatable to you guys but wanted to mention it

Heads up, just got a blockage for another update. 

W32.B8E3DD9E82-95.SBX.TG

Heads up, we just got a blockage for another update

Yes, also seeing Adobe file being reported here.

2 Different Files:

eutl12.acrobatsecuritysettings (SHA256: 7b512b45b6903b562e7f52b04a7715c05f0bb0cfc42438d6f1f2cdbb32124ac6)

eutl11.acrobatsecuritysettings (SHA256: 3ed06a6ff00c0015e85609f509b11c3cdf0ab9991d74b1d44daab7c264fd99d9)

No hits for these on VirusTotal, coming from an Akamai server with an Adobe URL, so pretty confident this is false positive as well.

My feedback from support was that Engineering was aware of the issue, and I would get an update when it was resolved. I've not gotten an update yet and still seeing blocks for the original Microsoft file. So seems like original issue is still ongoing.

I've whitelisted the SHA256 in AMP in most of my sites, and that clears up the alert issue.