googleusercontent.com causing Win.Trojan.NetWiredRC variant registration message

DHAnderson
Head in the Cloud

googleusercontent.com causing Win.Trojan.NetWiredRC variant registration message

I have a client that is getting a Win.Trojan.NetWiredRC variant registration message when they try to access their web development site at googleusercontent.com.  They are being denied access to that site because of the message (and I have Security in the MX set to Prevention).  I appears the MySQL requests are causing the message.

 

I have whitelisted the site in both AMP and content filtering, but that does not solve the issue.  Besides whitelisting the IDS rule, is there another way to allow traffic to and from googleusercontent.com?

 

Thanks,

 

- Dave Anderson

Dave Anderson
2 REPLIES 2
jdsilva
Kind of a big deal

AMP is the malware scanner, and Snort is the IDS/IPS. If it's Snort that's triggering then whitelisting in AMP probably won't help. Have you whitelisted in Snort?

 

image.png

SoCalRacer
Kind of a big deal

Check Security Center - You will find the threat there if IDS is detecting it

https://documentation.meraki.com/MX/Monitoring_and_Reporting/Security_Center

 

Change the Mode or Ruleset down a notch and see if that resolves the issue

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Threat_Protection

 

99% certain the data is actually on a different URL that googleusercontent.com. I am thinking there are multiple URLs to whitelist, although not sure of them.

 

Below is a doc regarding Google Drive URLs, so it gives you some ideas

https://support.google.com/a/answer/2589954?hl=en

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels