Meraki

DHAnderson · ‎Jul 18 2019

I have a client that is getting a Win.Trojan.NetWiredRC variant registration message when they try to access their web development site at googleusercontent.com. They are being denied access to that site because of the message (and I have Security in the MX set to Prevention). I appears the MySQL requests are causing the message.

I have whitelisted the site in both AMP and content filtering, but that does not solve the issue. Besides whitelisting the IDS rule, is there another way to allow traffic to and from googleusercontent.com?

Thanks,

- Dave Anderson

Dave Anderson

jdsilva · ‎Jul 18 2019

AMP is the malware scanner, and Snort is the IDS/IPS. If it's Snort that's triggering then whitelisting in AMP probably won't help. Have you whitelisted in Snort?

http://blog.brokennetwork.ca |

@jdsilva

SoCalRacer · ‎Jul 18 2019

Check Security Center - You will find the threat there if IDS is detecting it

https://documentation.meraki.com/MX/Monitoring_and_Reporting/Security_Center

Change the Mode or Ruleset down a notch and see if that resolves the issue

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Threat_Protection

99% certain the data is actually on a different URL that googleusercontent.com. I am thinking there are multiple URLs to whitelist, although not sure of them.

Below is a doc regarding Google Drive URLs, so it gives you some ideas

https://support.google.com/a/answer/2589954?hl=en

Meraki

Community

googleusercontent.com causing Win.Trojan.NetWiredRC variant registration message

googleusercontent.com causing Win.Trojan.NetWiredRC variant registration message