cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

SOLVED
Here to help

W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Getting THOUSANDS of alerts for this at the moment (SHA256: 779c90c974a4f1d927070cbff0d17f5d1daf7bd631603530a408c15ba7bd534b ).

 

Seems like a recent update to the Microsoft store Windows 10 app is being incorrectly flagged by AMP.

 

On hold with support now, anyone else seeing the same?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Meraki Employee

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Hello all,

 

This should be resolved now. The file has been mistakenly categorized as malicious causing this to fail. File deposition has been changed. We are truly sorry for the inconvenience. If the updates are failed, please go ahead and try again, they should go through now.

 

As of now, this is only related to Microsoft files. if you are also seeing issues with Adobe files or any other files. They should be considered as a different issue and please open a ticket with Meraki support for further investigation.

 

Regards,

 

Raj

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it
54 REPLIES 54
New here

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Only 480 events in the last hour from my network on the first email.  I called support and they were about worthless until I got to the supervisor.  I also emailed my sales person and the vendor I purchase it through.

 

8/1/2019 17:32File Scannedhttphttp://11.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/65cc1083-07ec-42e5-b5dd-a39191...72.21.81.24080779c90c974a4f1d927070cbff0d17f5d1daf7bd631603530a408c15ba7bd534bZIP691677MaliciousBlocked
New here

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Same here, getting a couple hundred alerts. 

Conversationalist

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Yep - I am seeing this as well.  I shut down the port the flagged pc is on but don't know the extent of what else this is.  Is this really a windows 10 update to the store?????

New here

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Yep receiving quite a few warnings through MX with the same hash.

 

SHA256: 779c90c974a4f1d927070cbff0d17f5d1daf7bd631603530a408c15ba7bd534b
Disposition: Malicious
Type: ZIP
Size: 691.7 kB
Getting noticed

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Yep, got inundated with warnings from all my sites.

Conversationalist

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Getting the same here from multiple networks and machines.

 

Almost certainly a false positive from AMP - Unless somebody snuck something onto the store and AMP is the first to pick up on it.

 

Does anybody have a copy of the file?

 

VirusTotal has it at 0/56: https://www.virustotal.com/gui/file/779c90c974a4f1d927070cbff0d17f5d1daf7bd631603530a408c15ba7bd534b...

Getting noticed

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Any idea of the filename and location on a PC? I should be able to get the file if I know exactly which file.

Conversationalist

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Looks like the file names are 

  • Microsoft.VCLibs.140.00_14.0.27323.0_x86__8wekyb3d8bbwe.Appx
  • Microsoft.VCLibs.x86.14.00.appx

Seems to be in the Program Files for Adobe

 

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader

Conversationalist

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

This looks like a false positive.

This is a Win X Application Package.

One on my computer is there, scanned with A/V nothing, modified back in March...

Could be part of an update, which would explain why we're getting a lot of these alerts at this time.

Conversationalist

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Gryffindor - I see that filename in that directory, but on my system the hash (and last modified date) doesn't match that of the AMP reported hash.

Conversationalist

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

I have the same result.

Copied the file from one of the clients flagged by Meraki.

And the hash doesn't match the threat hash...

Here to help

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

The hash of a binary file on disk won't necessarily match the hash Meraki sees, because Meraki sees the hash in the HTTP stream which is encoded (and possibly compressed).

Conversationalist

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Yeah i checked VirusTotal also - very odd - sure hope its a false positive.

Conversationalist

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

We are getting slammed with this as well.

New here

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

getting hammered with these as well. Anyone got anything from support yet?

New here

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Undoubtedly a sophisticated new version of ransomware that is spreading throughout all Amp networks. Perfect for how I wanted to spend my night, looking up info on my networks spamming false positives.

Kind of a big deal

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Maybe Microsoft infected a malware with Windows 10 to slow it down?

New here

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Logged a case a few mins ago and called account rep in Aus who was at HQ with head of support. They will update me soon and I'll post here.

Conversationalist

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

I opened a ticket as well and the tech rep said they were aware of the issue and working with engineering on resolving it

New here

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

For the longest time I've been telling everyone that Windows is just one giant useful virus.

 

Glad to finally get verification.

Conversationalist

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

I just got off the phone with support who said they are getting tons of calls about this, but are 100% sure it is a false positive and they have escalated internally to get it addressed so it stops flagging.

Conversationalist

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

I've been cross checking related computers and network in Umbrella and not seeing anything, has to be a false positive I hope

New here

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Also, Is anyone else noticing that the timestamp is not todays date?

Conversationalist

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Same Same, getting lots of flags and retroactive flags. 

New here

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

We're seeing this too.

 

Rapid 7 hasn't reported to us and Umbrella is showing nothing.

 

I'm with everyone else and hope it's a false positive! 

Conversationalist

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Just Got off the phone with Meraki Support.

Representative said that it was a False Positive and AMP was blocking windows updates. Engineering was working to get it resolved. I had already opened a ticket so he posted the below information to the ticket and said the ticket would be updated when engineering had more information.

PROBLEMS DISCUSSED:
- AMP blocking Windows update.

------------------------
ACTIONS TAKEN:
- File in question: W32.779C90C974-100.SBX.TG

------------------------
NEXT STEPS:
- Further investigate this malicious activity.
- Keep the customer posted with updates.

 

 

[Mod note 1 August: Marking as solution for greater visibility!]

[Mod note 2 August: Un-marking as solution now that we have an update from Raj at Meraki]

New here

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Thank you for this!
Here to help

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Yes - we did get alerts from our 120+ MX sites, I also remember this is not the first time AMP has incorrectly flagged Microsoft updates.

Getting noticed

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

I got it too.  Thanks for the info on it. 

 

Highlighted
Meraki Employee

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Hello all,

 

This should be resolved now. The file has been mistakenly categorized as malicious causing this to fail. File deposition has been changed. We are truly sorry for the inconvenience. If the updates are failed, please go ahead and try again, they should go through now.

 

As of now, this is only related to Microsoft files. if you are also seeing issues with Adobe files or any other files. They should be considered as a different issue and please open a ticket with Meraki support for further investigation.

 

Regards,

 

Raj

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it
Here to help

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Thanks. Does this also apply to the Adobe issue? Or just the Microsoft issue?

Meraki Employee

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

At this moment. This is only in regards to Microsoft updates. Please open a ticket with meraki support if you are also having issues with Adobe files for further investigation.

 

Thanks and regards!

 

Raj

 

 

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it
Meraki Employee

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

At this moment. This is only in regards to Microsoft updates. Please open a ticket with Meraki support if you are also having issues with Adobe files for further investigation.

 

Thanks and regards!

 

Raj

 

 

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it
New here

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

I have also received numerous alerts from the Adobe files mentioned by calebbaker. Can you confirm if the file desposition has been updated for this as well?

 

Detection: W32.7B512B45B6-100.SBX.TG

eutl12.acrobatsecuritysettings (SHA256: 7b512b45b6903b562e7f52b04a7715c05f0bb0cfc42438d6f1f2cdbb32124ac6)

 

Here to help

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

The adobe files, I can’t help with checking the disposition on those.  (Sorry).  You’d likely have to contact Meraki Support.

Here to help

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Adobe files are no longer showing for me as Disposition changed.

 

Seem to be all good on both.

New here

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

You are right. Seems everything is okay now.

Great!
Comes here often

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Here we go, round 2; 10 hours after @Raj66  declares it solved. 

 

Only 25 emails this time though.

Meraki Employee

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Hello @Dave2000 I am sorry to hear that. Is it the same update that is getting blocked again? Would you mind opening a support ticket for further investigation? 

 

Cheers!

 

Raj

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it
Comes here often

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

I still have one open from last night as well I can update
Comes here often

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

@Raj66 updated my ticket. I am sure the support guy Indy Cao is thrilled to see it still happening. 

Comes here often

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

We're getting these as well on our FTD VPN FWs with AMP

 

<*- Network Based Malware From "VPN-FTD01" at Mon Aug  5 20:31:33 2019 UTC -*>

Sha256: 7b512b45b6903b562e7f52b04a7715c05f0bb0cfc42438d6f1f2cdbb32124ac6 Disposition: Malware Threat name: W32.7B512B45B6-100.SBX.TG IP Addresses: x.x.x.x<-23.204.228.68

 

 

However Talos shows it as clean...

New here

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Is there a report available detailing this issue and what has been put in place to prevent this from happening again? Looking for something to send out to our clients detailing this false positive.

Comes here often

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

@Josh214 It is rather unlikely there is a report yet. Despite the thread indication it is "solved", I still have 2 open cases with support. 

Comes here often

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

In my case - this was partly due to a setting (my issue was with AMP on ASA firewalls but similar database) was that in the management console for the file policy you can tell it to override Talo's disposition based on the ThreatGrid score.  TAC said because the way the update file works it is capable of being malicious so it gives it a very high threat score. In our case, we told our appliances to mark it as malware if the threat score was Very High.  Not sure if this is relatable to you guys but wanted to mention it

Here to help

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Ooof... nothing like a Thursday night fire drill!

 

Thanks to Meraki Support who took my call. Will watch for updates on my case.

New here

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Same thing over here...

New here

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Thanks for information!!!

Here to help

Re: W32.779C90C974-100.SBX.TG / ArchiveFile - Disposition Changed

Update: overnight I began getting these for Adobe as well. There's no update on my support case.

 

Has anyone heard back from Meraki Support on what's happening here? Last I heard they were investigating and the comment here marked as "Solved" implies the same. 

 

Thanks.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.