cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9830
Views
0
Helpful
7
Replies

Malware false positives after Windows update releases 10.november

Steelyboy77
Level 1
Level 1

Hi

Is anyone else experiensing alot of what i think is FP from microsoft updates last night?

I have alot of events from Firesight this night, and all of them seem to be different windows updates

Network Based Malware , and the Threath name is variants of : W32.Auto

One of the updates that generate events are: https://support.microsoft.com/de-de/kb/3104507 

Im not sure how to handle this, and any inputs would be great :-)

I have used Whitelist on this specific update, but there are so many more. Do you think Sourcefire will update rules today to fix this?

Thanks in advance

EDIT: There was an update rule from yesterday, that addressed these problems so it would not generate events. Updated and all is good :-)

EDIT 2: It's not All good.. i still receives ALOT of events regarding windows updates related to  Win32.Auto rule

7 Replies 7

Corey Melhus
Level 1
Level 1

We are also seeing many of these this starting last night and continuing this morning.  They all originate from Windows updates, Flash updates, or Chrome updates.  

https://www.virustotal.com/en-gb/file/54c0d1de00c650689c52080b8b4757f35c078f8d86da13c90601a6f6fd070aae/analysis/

detected as: W32.Auto.0372C6.182366.in02

https://www.virustotal.com/en-gb/file/36c291265b8ad791f0c004bd7e13addb217b96dce8cdd5bfcc9e4b3d88af82ab/analysis/

detected as: W32.File.MalParent

https://www.virustotal.com/en-gb/file/021b8b9bcac980aa32433919dfdc7d6eb96d5b45976786f5cdf8c22099590c2a/analysis/

detected as: W32.Auto.22510C.182440.in02

https://www.virustotal.com/en-gb/file/62a3898ef96a01fc1b2accb9bb36c56262e7896bb801534eb6d7e45d562930be/analysis/

detected as: W32.DFC.MalParent

https://www.virustotal.com/en-gb/file/9512b8b43db434c5eb6c461c8febc41ce6718e93f286637b5948a86dd773d886/analysis/

detected as: W32.Auto.740FDA.182447.in02

All appear to be false positives from everything we can tell.

Was anyone able to open a Cisco case opened to detect this? Few of which we are seeing are below. These are still continuing throughout this morning.

W32.Auto.357267.182447.in01
W32.Auto.83c528.182440.in01
W32.Auto.61CF22.182446.in02
W32.Auto.9ca11c.182445.in01

Some of them now start to come back as Clean. Network based retrospective notifications.

Like this one, with verified signature:  https://www.virustotal.com/nb/file/bebfbec521bea1c745533758908fc122fd1edca6ba54277fcce2d219832babdf/analysis/

stephan
Level 1
Level 1

I dont think they are false positive they have weird names

masmith0324
Level 1
Level 1

I've received same.  Opened case about 12 hours ago.  They said Talos was investigating and then i started seeing them come back as clean.  But then again this afternoon the alerts kicked up again.  I believe you can reproduce by having a system go out to microsoft and check for updates.  it's definitely related to the patches that were release by microsoft yesterday

Corey Melhus
Level 1
Level 1

This thread has some more info including acknowledgement that these are false positives from TAC: https://supportforums.cisco.com/discussion/12702996/amp-blocking-windows-updates

yes I've received same canned answer.  Still getting alerts so I guess updates havent propagated out yet.

Review Cisco Networking for a $25 gift card