Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4592
Views
0
Helpful
2
Replies

AMP Blocking Windows Updates

deyster94
Level 5
Level 5

‎11-12-2015 06:40 AM - last edited on ‎02-21-2020 11:08 PM by Community Manager

I have an ASA 5516 installed at two clients and both are reporting some Windows Updates are being blocked by AMP.  I looked at the Files->Malware events and there are a number of .cab files being tagged as malware.  Not sure why this is happening and would like to know if there is a solution other than adding those files to the clean list.  

Here is one of the alerts (scrubbed) from one of my clients:

><*- Network Based Malware

>From "192.168.x.x" at Thu Nov 12 02:43:57 2015 UTC -*>

>Sha256: c185927546db202a75dd47d7c32d19dbd2e477326741686d08b65e5b44f0834b

>Disposition: Malware

>Threat name: W32.Variant:GenMaliciousDYI.18mf.1201

>IP Addresses: 192.168.x.x<-69.31.21.26 ------> This address is owned by Akamai Technologies, who is a Content Delivery Network.  I assume MS uses them to deliver updates. 

My laptop is also running AMP for endpoints and popped up about these threats.  

TIA for any suggestions,

Dan

Labels:
0 Helpful
2 Replies 2

deyster94
Level 5
Level 5

‎11-12-2015 07:15 AM

In case anyone runs into this issue, I talked to two people at Cisco and this is a known issue.  Both recommended opening a case.  One of them is our GSSO CSE and he told me to forward him the case information so he can send it off to someone who can get more help.  

If you are a Cisco partner and have clients with this issue, I would recommend open the case.  Other idea is to put a threshold on the alerts until this is resolved.

0 Helpful

deyster94
Level 5
Level 5
In response to deyster94

‎11-12-2015 07:31 AM

Received from TAC: On Tuesday November 10, beginning at approximately 6pm Eastern time, Cisco Engineering began implementing updates to the AMP cloud servers. After the updates were complete, customers began experiencing a flood of false positive AMP events. Cisco Engineering has since implemented workarounds to alleviate the false positives, but it will take some time to correct the situation completely. Cisco AMP Engineering is still investigating the root cause of the issue. Cisco AMP Engineering will provide a Root Cause Analysis document for customers requesting this, within five business days.
0 Helpful
Customers Also Viewed These Support Documents