Meraki

LUX-Merakifyer · ‎Sep 24 2024

yesterday I got a notification about a MX event which has blocked the download of a Trojan malicious file.

till there, fine and good to hear.

But looking in details I discovered the source who downloaded it, is not a client but one of my MERAKI AP (with its named followed by its MAC adress)

How is it possible ?MERAKI AP blocked of downloading a malicious file

Time

Event Type

Protocol

URI

Client Name

Source IP

Source Port

Destination IP

Destination Port

Client IP

Client MAC

File Hash

File Type

File Size

Disposition

Action

Details

23.09.2024 00:08

File Scanned

http

http://airconditionersontop.com/static/apps/437.zip

ap11-881544a9e348

172.17.1.11

92.123.239.58

80

172.17.1.11

88:15:44:a9:e3:48

0193d876b1f7515599ac8bb041779de5dcd905028d20456895f99df27b1ade0f

ZIP

9480572

Malicious

Blocked

A NEW BUG ?

ww · ‎Sep 24 2024

Do you have a ssid in nat mode?

View solution in original post

ammahend · ‎Sep 24 2024

Please open a case and keep community posted.

LUX-Merakifyer · ‎Sep 24 2024

I did open this post to better first get the opinion of the community first.

Also I think now I know why this happens, and it's then a very interested case to keep publish for helping community later on.

So let's see if someone can find why 😉

ww · ‎Sep 24 2024

Do you have a ssid in nat mode?

LUX-Merakifyer · ‎Sep 24 2024

EXACTLY. this is the right explanation (I think).

Just a pity we loose even the client's MACadress behind the AP. certainly because the MX analysis works only with IP adresses, so therefore the AP appears instead the real source...

WELL DONE 😉 I give you 1 kudo and encourage people to do so 😉

ammahend · ‎Sep 24 2024

Makes perfect sense

Meraki

Community

Why MERAKI AP are downloading a trojan ?

Why MERAKI AP are downloading a trojan ?