cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

googleusercontent.com causing Win.Trojan.NetWiredRC variant registration message

Highlighted
Building a reputation

googleusercontent.com causing Win.Trojan.NetWiredRC variant registration message

I have a client that is getting a Win.Trojan.NetWiredRC variant registration message when they try to access their web development site at googleusercontent.com.  They are being denied access to that site because of the message (and I have Security in the MX set to Prevention).  I appears the MySQL requests are causing the message.

 

I have whitelisted the site in both AMP and content filtering, but that does not solve the issue.  Besides whitelisting the IDS rule, is there another way to allow traffic to and from googleusercontent.com?

 

Thanks,

 

- Dave Anderson

2 REPLIES 2
Kind of a big deal

Re: googleusercontent.com causing Win.Trojan.NetWiredRC variant registration message

AMP is the malware scanner, and Snort is the IDS/IPS. If it's Snort that's triggering then whitelisting in AMP probably won't help. Have you whitelisted in Snort?

 

image.png

Kind of a big deal

Re: googleusercontent.com causing Win.Trojan.NetWiredRC variant registration message

Check Security Center - You will find the threat there if IDS is detecting it

https://documentation.meraki.com/MX/Monitoring_and_Reporting/Security_Center

 

Change the Mode or Ruleset down a notch and see if that resolves the issue

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Threat_Protection

 

99% certain the data is actually on a different URL that googleusercontent.com. I am thinking there are multiple URLs to whitelist, although not sure of them.

 

Below is a doc regarding Google Drive URLs, so it gives you some ideas

https://support.google.com/a/answer/2589954?hl=en

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.