This should be resolved now. The file has been mistakenly categorized as malicious causing this to fail. File deposition has been changed. We are truly sorry for the inconvenience. If the updates are failed, please go ahead and try again, they should go through now.
As of now, this is only related to Microsoft files. if you are also seeing issues with Adobe files or any other files. They should be considered as a different issue and please open a ticket with Meraki support for further investigation.
Regards,
Raj
If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it
Only 480 events in the last hour from my network on the first email. I called support and they were about worthless until I got to the supervisor. I also emailed my sales person and the vendor I purchase it through.
Yep - I am seeing this as well. I shut down the port the flagged pc is on but don't know the extent of what else this is. Is this really a windows 10 update to the store?????
The hash of a binary file on disk won't necessarily match the hash Meraki sees, because Meraki sees the hash in the HTTP stream which is encoded (and possibly compressed).
Undoubtedly a sophisticated new version of ransomware that is spreading throughout all Amp networks. Perfect for how I wanted to spend my night, looking up info on my networks spamming false positives.
I just got off the phone with support who said they are getting tons of calls about this, but are 100% sure it is a false positive and they have escalated internally to get it addressed so it stops flagging.
Representative said that it was a False Positive and AMP was blocking windows updates. Engineering was working to get it resolved. I had already opened a ticket so he posted the below information to the ticket and said the ticket would be updated when engineering had more information.
PROBLEMS DISCUSSED: - AMP blocking Windows update.
------------------------ ACTIONS TAKEN: - File in question: W32.779C90C974-100.SBX.TG
------------------------ NEXT STEPS: - Further investigate this malicious activity. - Keep the customer posted with updates.
[Mod note 1 August: Marking as solution for greater visibility!]
[Mod note 2 August: Un-marking as solution now that we have an update from Raj at Meraki]
This should be resolved now. The file has been mistakenly categorized as malicious causing this to fail. File deposition has been changed. We are truly sorry for the inconvenience. If the updates are failed, please go ahead and try again, they should go through now.
As of now, this is only related to Microsoft files. if you are also seeing issues with Adobe files or any other files. They should be considered as a different issue and please open a ticket with Meraki support for further investigation.
Regards,
Raj
If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it
At this moment. This is only in regards to Microsoft updates. Please open a ticket with meraki support if you are also having issues with Adobe files for further investigation.
Thanks and regards!
Raj
If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it
At this moment. This is only in regards to Microsoft updates. Please open a ticket with Meraki support if you are also having issues with Adobe files for further investigation.
Thanks and regards!
Raj
If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it
I have also received numerous alerts from the Adobe files mentioned by calebbaker. Can you confirm if the file desposition has been updated for this as well?
Hello @Dave2000 I am sorry to hear that. Is it the same update that is getting blocked again? Would you mind opening a support ticket for further investigation?
Cheers!
Raj
If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it
Is there a report available detailing this issue and what has been put in place to prevent this from happening again? Looking for something to send out to our clients detailing this false positive.
In my case - this was partly due to a setting (my issue was with AMP on ASA firewalls but similar database) was that in the management console for the file policy you can tell it to override Talo's disposition based on the ThreatGrid score. TAC said because the way the update file works it is capable of being malicious so it gives it a very high threat score. In our case, we told our appliances to mark it as malware if the threat score was Very High. Not sure if this is relatable to you guys but wanted to mention it
Update: overnight I began getting these for Adobe as well. There's no update on my support case.
Has anyone heard back from Meraki Support on what's happening here? Last I heard they were investigating and the comment here marked as "Solved" implies the same.
No hits for these on VirusTotal, coming from an Akamai server with an Adobe URL, so pretty confident this is false positive as well.
My feedback from support was that Engineering was aware of the issue, and I would get an update when it was resolved. I've not gotten an update yet and still seeing blocks for the original Microsoft file. So seems like original issue is still ongoing.
I've whitelisted the SHA256 in AMP in most of my sites, and that clears up the alert issue.
I spoke to Meraki support regarding eutl12.acrobatsecuritysettings (SHA256: 7b512b45b6903b562e7f52b04a7715c05f0bb0cfc42438d6f1f2cdbb32124ac6) and they advised this is also a false positive - most likely due to outdated MX software. Check your MX version and see what you find there.
Same here. Currently on hold with MERAKI. More than likely it's an update from Microsoft. Blocked the IP CISCO Endpoint until a determination can be made.
Intrestingly enough it came in from 72.21.81.240 - Edgecast in Dallas County, TX. If it was from Microsoft why Edgecast. I used ip2location.com to find out.
Exact same SHA-256: 975c0d48c41d2ad76a242d5f7270f4bf8063bb9c753b375ab2c47c9e2060f562 with same IP 72.21.81.240
I had a couple of users with the "Try New Outlook" toggle switch in Outlook yesterday, including myself. I took steps with registry edit to force the toggle switch to be seen by more users. I also believe that toggle switch in Outlook is not used anymore but I could be wrong. Long story short, I made changes late yesterday for Office 365 so certain users could access the Office preview channel. It might be a coincidence so please take this with a grain of salt.
(I am more or less "relieved" others are having the same issue so I know I didn't break anything....)
We didn't have the innovations back in the 50's that we do now. If it's NOT broke don't fix it. Besides what're we talking about, messing with the windows registry. You call that innovation?
Where have you been since 1995 while using Windows?? Still same ol' Windows with a fresh coat of paint, every other year. Microsoft is the one calling it innovation😃
Unless you have no Windows client to administer then good for you and apologies.
If this is a Microsoft package update why is the originating IP 72.21.81.240 (edgecast.com) . Is this a Microsoft owned company? I'm sitll blocking the IP / port within my CISCO Secure EndPoint Advantage dashboard, Check it out for yourself. I use ip2location.com and type in the IP. Look at the results.
