https://community.cisco.com/t5/endpoint-security/vlc-exe-marked-as-w32-975c0d48c4-ret-sbx-tg/m-p/4814020#M7463 <P>IIRC that's VLC</P> <P>Root cause for "what is going on" isn't done yet... I'll post it in the community if it gets sent to me.&nbsp;</P> <P>&nbsp;</P> Thu, 13 Apr 2023 19:24:13 GMT Ken Stieers 2023-04-13T19:24:13Z https://community.cisco.com/t5/endpoint-security/vlc-exe-marked-as-w32-975c0d48c4-ret-sbx-tg/m-p/4813844#M7451 <DIV><H3><SPAN class="">False positive? &nbsp;Just got a bunch of these off multiple MXs.</SPAN></H3><P>&nbsp;</P><DIV>MD5 : 346cac4d1166ef87ab7617fc977f7dd4</DIV><DIV>SHA-1 d4bf1fc804bef6293d867c5f250191860044639c</DIV><DIV>SHA-256 975c0d48c41d2ad76a242d5f7270f4bf8063bb9c753b375ab2c47c9e2060f562</DIV><DIV>Vhash 3872fcc78e34962257f24cc7728ffae1</DIV><DIV>SSDEEP 12288:ytHbQKCiPwXtnn9X25lauYsoRy5T9LlHbAlZ2A1w/ccW9ZbGwHbK+L65E7heqTxm:GhPwXtn9X25lvoUna2/clhK+L3EqRzi</DIV><DIV>TLSH T1F41512D014A648EBC530523EDC105E32B8A214885FB157F473F2B56EDADADB8E056FCA</DIV><DIV>File type ZIP</DIV><DIV>Magic data</DIV><DIV>TrID MSIX Windows app package (84.1%) &nbsp; ZIP compressed archive (12.6%) &nbsp; PrintFox/Pagefox bitmap (640x800) (3.1%)</DIV><DIV>File size 885.40 KB (906653 bytes)</DIV><DIV>&nbsp;</DIV><H4>Processes Tree:&nbsp;4008 - VLC</H4><P>&nbsp;</P><P>Endpoint:&nbsp;</P><H3><SPAN class="">1d.tlu.dl.delivery.mp.microsoft.com</SPAN></H3></DIV><DIV>SHA256 : 975c0d48c41d2ad76a242d5f7270f4bf8063bb9c753b375ab2c47c9e2060f562</DIV><DIV>Disposition : Malicious</DIV><DIV><DIV class="">&nbsp;</DIV><DIV class="">Type : ZIP</DIV><DIV class="">&nbsp;</DIV><DIV class=""><DIV class="">Size : 906653 bytes</DIV><DIV class="">&nbsp;</DIV><DIV class="">Thanks.</DIV></DIV></DIV> Thu, 13 Apr 2023 15:10:32 GMT https://community.cisco.com/t5/endpoint-security/vlc-exe-marked-as-w32-975c0d48c4-ret-sbx-tg/m-p/4813844#M7451 brentb2529 2023-04-13T15:10:32Z https://community.cisco.com/t5/endpoint-security/vlc-exe-marked-as-w32-975c0d48c4-ret-sbx-tg/m-p/4813849#M7453 <P>yep, FP, they just cleared that one.&nbsp;&nbsp;</P> <P>&nbsp;</P> Thu, 13 Apr 2023 15:13:00 GMT https://community.cisco.com/t5/endpoint-security/vlc-exe-marked-as-w32-975c0d48c4-ret-sbx-tg/m-p/4813849#M7453 Ken Stieers 2023-04-13T15:13:00Z https://community.cisco.com/t5/endpoint-security/vlc-exe-marked-as-w32-975c0d48c4-ret-sbx-tg/m-p/4814011#M7459 <P>So what is it?&nbsp; I got 5000 emails from a customer across their entire network.&nbsp; We had to shutdown FMC altogether.&nbsp; What's going on?</P> Thu, 13 Apr 2023 18:55:18 GMT https://community.cisco.com/t5/endpoint-security/vlc-exe-marked-as-w32-975c0d48c4-ret-sbx-tg/m-p/4814011#M7459 Jeff Cooper 2023-04-13T18:55:18Z https://community.cisco.com/t5/endpoint-security/vlc-exe-marked-as-w32-975c0d48c4-ret-sbx-tg/m-p/4814014#M7460 <P>I'm wondering which SHA-256 are you getting alerted?</P> <P>Also if this matches the initial one, I would suggest you open a TAC case with FMC, since this SHA-256 is already marked as clean, and probably is not being populated to your device, correctly.</P> <P>SHA-256:&nbsp;<SPAN>975c0d48c41d2ad76a242d5f7270f4bf8063bb9c753b375ab2c47c9e2060f562</SPAN></P> <P><SPAN>--</SPAN></P> <P><SPAN>Pedro M.</SPAN></P> Thu, 13 Apr 2023 19:12:10 GMT https://community.cisco.com/t5/endpoint-security/vlc-exe-marked-as-w32-975c0d48c4-ret-sbx-tg/m-p/4814014#M7460 pmedinac 2023-04-13T19:12:10Z https://community.cisco.com/t5/endpoint-security/vlc-exe-marked-as-w32-975c0d48c4-ret-sbx-tg/m-p/4814020#M7463 <P>IIRC that's VLC</P> <P>Root cause for "what is going on" isn't done yet... I'll post it in the community if it gets sent to me.&nbsp;</P> <P>&nbsp;</P> Thu, 13 Apr 2023 19:24:13 GMT https://community.cisco.com/t5/endpoint-security/vlc-exe-marked-as-w32-975c0d48c4-ret-sbx-tg/m-p/4814020#M7463 Ken Stieers 2023-04-13T19:24:13Z https://community.cisco.com/t5/endpoint-security/vlc-exe-marked-as-w32-975c0d48c4-ret-sbx-tg/m-p/4814129#M7467 <P>This appears to have killed my FMC, I have awoken to the /Volume being 100% full and FMC not functioning.</P> Thu, 13 Apr 2023 23:07:21 GMT https://community.cisco.com/t5/endpoint-security/vlc-exe-marked-as-w32-975c0d48c4-ret-sbx-tg/m-p/4814129#M7467 Damon Kalajzich 2023-04-13T23:07:21Z