Why MERAKI AP are downloading a trojan ?

Solved
LUX-Merakifyer
Here to help

Why MERAKI AP are downloading a trojan ?

yesterday I got a notification about a MX event which has blocked the download of a Trojan malicious file.

till there, fine and good to hear.

But looking in details I discovered the source who downloaded it, is not a client but one of my MERAKI AP (with its named followed by its MAC adress)

 

How is it possible ?MERAKI AP blocked of downloading a malicious fileMERAKI AP blocked of downloading a malicious file

 

TimeEvent TypeProtocolURIClient NameSource IPSource PortDestination IPDestination PortClient IPClient MACFile HashFile TypeFile SizeDispositionActionDetails
23.09.2024 00:08File Scannedhttphttp://airconditionersontop.com/static/apps/437.zipap11-881544a9e348172.17.1.11 92.123.239.5880172.17.1.1188:15:44:a9:e3:480193d876b1f7515599ac8bb041779de5dcd905028d20456895f99df27b1ade0fZIP9480572MaliciousBlocked

 

 

A NEW BUG ?

1 Accepted Solution
ww
Kind of a big deal
Kind of a big deal

Do you have a ssid in nat mode?

View solution in original post

5 Replies 5
ammahend
Building a reputation

Please open a case and keep community posted. 

LUX-Merakifyer
Here to help

I did open this post to better first get the opinion of the community first.

Also I think now I know why this happens, and it's then a very interested case to keep publish for helping community later on.

So let's see if someone can find why 😉

ww
Kind of a big deal
Kind of a big deal

Do you have a ssid in nat mode?

LUX-Merakifyer
Here to help

EXACTLY. this is the right explanation (I think).

Just a pity we loose even the client's MACadress behind the AP. certainly because the MX analysis works only with IP adresses, so therefore the AP appears instead the real source...

WELL DONE 😉 I give you 1 kudo and encourage people to do so 😉

ammahend
Building a reputation

Makes perfect sense 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels