topic yes I've received same canned in Network Security

Malware false positives after Windows update releases 10.november

Steelyboy77 — Wed, 11 Nov 2015 08:15:00 GMT

Is anyone else experiensing alot of what i think is FP from microsoft updates last night?

I have alot of events from Firesight this night, and all of them seem to be different windows updates

Network Based Malware , and the Threath name is variants of : W32.Auto

One of the updates that generate events are: https://support.microsoft.com/de-de/kb/3104507

Im not sure how to handle this, and any inputs would be great 🙂

I have used Whitelist on this specific update, but there are so many more. Do you think Sourcefire will update rules today to fix this?

Thanks in advance

EDIT: There was an update rule from yesterday, that addressed these problems so it would not generate events. Updated and all is good 🙂

EDIT 2: It's not All good.. i still receives ALOT of events regarding windows updates related to Win32.Auto rule

We are also seeing many of

Corey Melhus — Wed, 11 Nov 2015 16:11:23 GMT

We are also seeing many of these this starting last night and continuing this morning. They all originate from Windows updates, Flash updates, or Chrome updates.

https://www.virustotal.com/en-gb/file/54c0d1de00c650689c52080b8b4757f35c078f8d86da13c90601a6f6fd070aae/analysis/

detected as: W32.Auto.0372C6.182366.in02

https://www.virustotal.com/en-gb/file/36c291265b8ad791f0c004bd7e13addb217b96dce8cdd5bfcc9e4b3d88af82ab/analysis/

detected as: W32.File.MalParent

https://www.virustotal.com/en-gb/file/021b8b9bcac980aa32433919dfdc7d6eb96d5b45976786f5cdf8c22099590c2a/analysis/

detected as: W32.Auto.22510C.182440.in02

https://www.virustotal.com/en-gb/file/62a3898ef96a01fc1b2accb9bb36c56262e7896bb801534eb6d7e45d562930be/analysis/

detected as: W32.DFC.MalParent

https://www.virustotal.com/en-gb/file/9512b8b43db434c5eb6c461c8febc41ce6718e93f286637b5948a86dd773d886/analysis/

detected as: W32.Auto.740FDA.182447.in02

All appear to be false positives from everything we can tell.

Was anyone able to open a

kaustubhmhatre — Wed, 11 Nov 2015 16:54:05 GMT

Was anyone able to open a Cisco case opened to detect this? Few of which we are seeing are below. These are still continuing throughout this morning.

W32.Auto.357267.182447.in01
W32.Auto.83c528.182440.in01
W32.Auto.61CF22.182446.in02
W32.Auto.9ca11c.182445.in01

I dont think they are false

stephan — Wed, 11 Nov 2015 17:26:39 GMT

I dont think they are false positive they have weird names

Some of them now start to

Steelyboy77 — Wed, 11 Nov 2015 19:22:56 GMT

Some of them now start to come back as Clean. Network based retrospective notifications.

Like this one, with verified signature: https://www.virustotal.com/nb/file/bebfbec521bea1c745533758908fc122fd1edca6ba54277fcce2d219832babdf/analysis/

I've received same. Opened

masmith0324 — Thu, 12 Nov 2015 01:46:11 GMT

I've received same. Opened case about 12 hours ago. They said Talos was investigating and then i started seeing them come back as clean. But then again this afternoon the alerts kicked up again. I believe you can reproduce by having a system go out to microsoft and check for updates. it's definitely related to the patches that were release by microsoft yesterday

This thread has some more

Corey Melhus — Thu, 12 Nov 2015 21:32:15 GMT

This thread has some more info including acknowledgement that these are false positives from TAC: https://supportforums.cisco.com/discussion/12702996/amp-blocking-windows-updates

yes I've received same canned

masmith0324 — Thu, 12 Nov 2015 21:57:47 GMT

yes I've received same canned answer. Still getting alerts so I guess updates havent propagated out yet.