Just to add, though it's all coincidental at this point, there was recent case where Microsoft CAB files appear to be "too deep" for Cisco's deep packet inspection algorithms. Apparently, the default behavior is; if the FW cannot inspect the file, it drops the traffic. What this meant was that any attempts to update devices via windows update would end in failure. Windows update would throw generic errors and the firewall would just flag MSCAB files it couldn't upload to cloud analysis. So one is left with the choice of automatically allowing traffic through that is "x" layers too deep to be scanned or break windows updates. ... View more

It's not a false positive..."it matches a signature". "Whitelist if you believe it's safe". It's not the alert existing that is the problem. Granted I have not seen the surge since but this response from Meraki seems less than helpful.  ... View more

I can confirm that of 12 sites I have seen this anomaly, 1 "spiked" on Tuesday 6th, the next site was Friday 9th, the other 10 all on Wednesday the 14th. Hope this isn't another "microsoft traffic = BAD" situation. These sites do use Microsoft cloud services of one form or another. ... View more