Webroot AMP

SOLVED
NordOps
Getting noticed

Webroot AMP

Any Webroot users out there seeing issues with AMP?

 

We've received new information from the Advanced Malware Protection (AMP) cloud about 1 file downloaded on your
The following files were determined to be malicious in retrospect:
File Hash:
54fd619d136646c014ca6e270e4a483dce033894c918a462b5a0352290ce95db (link)
Download Info:

 

The AMP alert shows a wsasme.exe file on webroot's site.

 

I opened a case to see if its a false positive but we've had a few customers that got flagged around the same time.
 

1 ACCEPTED SOLUTION
Arthur-BH
Conversationalist

I just received an update on the case we had open with Meraki from the support engineer:

 

I have looked into this more, and it looks like that hash file is being flagged as malicious by Talos Intelligence, and we have already opened tickets with them to change the reputation. Also note, that we can confirm this is a false positive as WebRoot and VirusTotal have also confirmed the file is not malicious.

View solution in original post

6 REPLIES 6
JRMM
New here

We are experiencing the same thing.  

 

seems to be a good hash file

 

https://www.virustotal.com/gui/file/54fd619d136646c014ca6e270e4a483dce033894c918a462b5a0352290ce95db...

 

NordOps
Getting noticed

Thanks for the feedback. Some of the webroot documentation seems to point to that URL so I think it's just an AMP update that flagged the files disposition as malicious or maybe it didn't like that the computers were trying to run executables from a website. 

jptagana
Here to help

We have received the same from our customers. Is this really safe?

Arthur-BH
Conversationalist

Same here, all of our MX's threw alerts yesterday regarding this file and I have seen no other posts on it other than this one. I also opened a Meraki case however they were less than helpful responding "Occasionally the MX appliance may block a file or URL that is deemed safe by the administrator. In that case, you can tell MX to allow the download of the content or web page by allowing the content."

 

We are treating it as a false positive at our org.

 

 

DrewAustin
New here

We are getting the same issue here.

Arthur-BH
Conversationalist

I just received an update on the case we had open with Meraki from the support engineer:

 

I have looked into this more, and it looks like that hash file is being flagged as malicious by Talos Intelligence, and we have already opened tickets with them to change the reputation. Also note, that we can confirm this is a false positive as WebRoot and VirusTotal have also confirmed the file is not malicious.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels