https://community.cisco.com/t5/endpoint-security/amp-blocks-microsoft-update-to-wsus-server/m-p/3438448#M2343 <HTML><HEAD></HEAD><BODY><P>Has anybody else experienced AMP blocking one of the last Microsoft updates.&nbsp; The file blocked is below along with threat name and hash.&nbsp; Also, is there a portal that gives more information on these threat names?&nbsp; </P><P></P><P></P><P><A class="jive-link-external-small" href="http://wsus.ds.download.windowsupdate.com/c/msdownload/update/software/secu/2015/10/ndp40-kb3098778-x86_0cac0a1d839d5db8363adb9d0d0633782e72cd9e.exe" rel="nofollow" target="_blank">http://wsus.ds.download.windowsupdate.com/c/msdownload/update/software/secu/2015/10/ndp40-kb3098778-x86_0cac0a1d839d5db8363adb9d0d0633782e72cd9e.exe</A></P><P></P><P>W32.Auto.EDEE5F.182447.in02</P><P></P><P>aaacf792b9f7596ce9888eda0a8593dd553b44a0615109fc068e1f96212c43f4</P><P>AAACF792B9F7596CE9888EDA0A8593DD553B44A0615109FC068E1F96212C43F4</P></BODY></HTML> Fri, 21 Feb 2020 05:29:42 GMT Austin Clark 2020-02-21T05:29:42Z https://community.cisco.com/t5/endpoint-security/amp-blocks-microsoft-update-to-wsus-server/m-p/3438448#M2343 <HTML><HEAD></HEAD><BODY><P>Has anybody else experienced AMP blocking one of the last Microsoft updates.&nbsp; The file blocked is below along with threat name and hash.&nbsp; Also, is there a portal that gives more information on these threat names?&nbsp; </P><P></P><P></P><P><A class="jive-link-external-small" href="http://wsus.ds.download.windowsupdate.com/c/msdownload/update/software/secu/2015/10/ndp40-kb3098778-x86_0cac0a1d839d5db8363adb9d0d0633782e72cd9e.exe" rel="nofollow" target="_blank">http://wsus.ds.download.windowsupdate.com/c/msdownload/update/software/secu/2015/10/ndp40-kb3098778-x86_0cac0a1d839d5db8363adb9d0d0633782e72cd9e.exe</A></P><P></P><P>W32.Auto.EDEE5F.182447.in02</P><P></P><P>aaacf792b9f7596ce9888eda0a8593dd553b44a0615109fc068e1f96212c43f4</P><P>AAACF792B9F7596CE9888EDA0A8593DD553B44A0615109FC068E1F96212C43F4</P></BODY></HTML> Fri, 21 Feb 2020 05:29:42 GMT https://community.cisco.com/t5/endpoint-security/amp-blocks-microsoft-update-to-wsus-server/m-p/3438448#M2343 Austin Clark 2020-02-21T05:29:42Z https://community.cisco.com/t5/endpoint-security/amp-blocks-microsoft-update-to-wsus-server/m-p/3438449#M2344 <HTML><HEAD></HEAD><BODY><P>Hi Austin,</P><P></P><P>Thanks for reaching out to us.</P><P></P><P>The following site operated by Cisco TALOS provides more information on our naming conventions for AMP.</P><P>http://www.talosintel.com/amp-naming/</P><P></P><P></P><P>Thanks and best regards,</P><P>Shyue Hong</P><P>--</P><P>Shyue Hong Chuang</P><P>Technical Marketing Engineer</P><P>Security Business Group</P><P>Cisco Systems</P><P>Email: schuang@cisco.com</P><P>Tel: +65 6317 5352</P></BODY></HTML> Wed, 11 Nov 2015 15:23:55 GMT https://community.cisco.com/t5/endpoint-security/amp-blocks-microsoft-update-to-wsus-server/m-p/3438449#M2344 schuang 2015-11-11T15:23:55Z https://community.cisco.com/t5/endpoint-security/amp-blocks-microsoft-update-to-wsus-server/m-p/3438450#M2345 <HTML><HEAD></HEAD><BODY><P>Can you explain what "Conviction of a file that takes place directly upon import (without Detonation)" means? </P><P><BR />I'm a bit ignorant on this topic. Is this something that was convicted due to dynamic analysis or is the definition in a database somewhere? </P></BODY></HTML> Wed, 11 Nov 2015 15:35:57 GMT https://community.cisco.com/t5/endpoint-security/amp-blocks-microsoft-update-to-wsus-server/m-p/3438450#M2345 Austin Clark 2015-11-11T15:35:57Z https://community.cisco.com/t5/endpoint-security/amp-blocks-microsoft-update-to-wsus-server/m-p/3438451#M2346 <HTML><HEAD></HEAD><BODY><P>Hi Austin,</P><P></P><P>It does look like the definition is in the AMP DB and returns as malicious based on a hash lookup without any (dynamic analysis) sandbox detonation. I did run it through the a Sandbox anyway to understand what is triggering and it does exhibit some behaviours but perhaps our malware research team may need to take a closer look. The following are a summary of the behavioral indicators flagged:</P><P>File Name of Executable on Disk Does Not Match Original File Name</P><P>Alternate Data Stream File Creation Detected</P><P>Process Modified an Executable File</P><P>Process Modified File in a User Directory</P><P>Downloaded PE Executable</P><P>Potential Code Injection Detected</P><P>Executable with Encrypted Sections</P><P>Outbound HTTP GET Request From URL Submission</P><P></P><P></P><P>Thanks and best regards,</P><P>Shyue Hong</P></BODY></HTML> Wed, 11 Nov 2015 15:56:19 GMT https://community.cisco.com/t5/endpoint-security/amp-blocks-microsoft-update-to-wsus-server/m-p/3438451#M2346 schuang 2015-11-11T15:56:19Z https://community.cisco.com/t5/endpoint-security/amp-blocks-microsoft-update-to-wsus-server/m-p/3438452#M2347 <HTML><HEAD></HEAD><BODY><P>Hi, Austin.&nbsp; Thanks for the question.&nbsp; This is actually a really timely coincidence, since today we happen to have several tech experts monitoring this very board for AMP questions.&nbsp; So the fact that we happen to have a couple of high-profile false positive incidents coming up today -- rare, but does happen from time to time -- actually gives me a great opportunity to explain how AMP works in situations like this.</P><P></P><P>Specifically for situations like this, there is the "whitelist" feature.&nbsp; Any time you find something that AMP classifies as a threat, but that you know to be benign, you can immediately resolve it via <STRONG>Application Control &gt; Whitelists</STRONG>.&nbsp; Create a whitelist and add the SHA-256 of the file in question, and your AMP deployment will not convict the file.</P><P></P><P>Cisco works very hard to avoid falsely convicting files, but like I said, accidents and mis-classifications will happen occasionally.&nbsp; Our product has been built with this reality in mind.&nbsp; Our Talos team should have the underlying issue corrected soon, but you have complete control yourself in the meanwhile.</P></BODY></HTML> Wed, 11 Nov 2015 15:57:27 GMT https://community.cisco.com/t5/endpoint-security/amp-blocks-microsoft-update-to-wsus-server/m-p/3438452#M2347 brmcmaho 2015-11-11T15:57:27Z https://community.cisco.com/t5/endpoint-security/amp-blocks-microsoft-update-to-wsus-server/m-p/3438453#M2348 <HTML><HEAD></HEAD><BODY><P>That's really good information.&nbsp; I was aware of the white list capability but was searching for a definite answer before doing so.&nbsp; My searches online didn't return any info like I expected due to the high profile nature.&nbsp;&nbsp; </P><P></P><P>Furthermore, I believe wsus got the update anyway via https.&nbsp;&nbsp;&nbsp; Immunet(clamAV) on my PC responded shortly after with some quarantined items.&nbsp; I'm not 100% sure that they're related as the filenames are different but I can post that information if you're curious. </P></BODY></HTML> Wed, 11 Nov 2015 16:09:51 GMT https://community.cisco.com/t5/endpoint-security/amp-blocks-microsoft-update-to-wsus-server/m-p/3438453#M2348 Austin Clark 2015-11-11T16:09:51Z https://community.cisco.com/t5/endpoint-security/amp-blocks-microsoft-update-to-wsus-server/m-p/3438454#M2349 <HTML><HEAD></HEAD><BODY><P>Yes what a coincidence.</P><P>We started getting several false positives yesterday including Google Chrome updates, Internet Explorer updates... we were told that the developers are working on it.</P><P>Patrick</P></BODY></HTML> Wed, 11 Nov 2015 16:17:56 GMT https://community.cisco.com/t5/endpoint-security/amp-blocks-microsoft-update-to-wsus-server/m-p/3438454#M2349 Patrick Moubarak 2015-11-11T16:17:56Z