Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9829
Views
0
Helpful
7
Replies

Malware false positives after Windows update releases 10.november

Steelyboy77
Level 1
Level 1

‎11-11-2015 12:15 AM

Hi

Is anyone else experiensing alot of what i think is FP from microsoft updates last night?

I have alot of events from Firesight this night, and all of them seem to be different windows updates

Network Based Malware , and the Threath name is variants of : W32.Auto

One of the updates that generate events are: https://support.microsoft.com/de-de/kb/3104507 

Im not sure how to handle this, and any inputs would be great :-)

I have used Whitelist on this specific update, but there are so many more. Do you think Sourcefire will update rules today to fix this?

Thanks in advance

EDIT: There was an update rule from yesterday, that addressed these problems so it would not generate events. Updated and all is good :-)

EDIT 2: It's not All good.. i still receives ALOT of events regarding windows updates related to  Win32.Auto rule

8 people had this problem
Labels:
0 Helpful
7 Replies 7

Corey Melhus
Level 1
Level 1

‎11-11-2015 08:11 AM

We are also seeing many of these this starting last night and continuing this morning.  They all originate from Windows updates, Flash updates, or Chrome updates.  

https://www.virustotal.com/en-gb/file/54c0d1de00c650689c52080b8b4757f35c078f8d86da13c90601a6f6fd070aae/analysis/

detected as: W32.Auto.0372C6.182366.in02

https://www.virustotal.com/en-gb/file/36c291265b8ad791f0c004bd7e13addb217b96dce8cdd5bfcc9e4b3d88af82ab/analysis/

detected as: W32.File.MalParent

https://www.virustotal.com/en-gb/file/021b8b9bcac980aa32433919dfdc7d6eb96d5b45976786f5cdf8c22099590c2a/analysis/

detected as: W32.Auto.22510C.182440.in02

https://www.virustotal.com/en-gb/file/62a3898ef96a01fc1b2accb9bb36c56262e7896bb801534eb6d7e45d562930be/analysis/

detected as: W32.DFC.MalParent

https://www.virustotal.com/en-gb/file/9512b8b43db434c5eb6c461c8febc41ce6718e93f286637b5948a86dd773d886/analysis/

detected as: W32.Auto.740FDA.182447.in02

All appear to be false positives from everything we can tell.

0 Helpful

kaustubhmhatre
Level 1
Level 1
In response to Corey Melhus

‎11-11-2015 08:54 AM

Was anyone able to open a Cisco case opened to detect this? Few of which we are seeing are below. These are still continuing throughout this morning.

W32.Auto.357267.182447.in01
W32.Auto.83c528.182440.in01
W32.Auto.61CF22.182446.in02
W32.Auto.9ca11c.182445.in01

0 Helpful

Steelyboy77
Level 1
Level 1
In response to Corey Melhus

‎11-11-2015 11:22 AM

Some of them now start to come back as Clean. Network based retrospective notifications.

Like this one, with verified signature:  https://www.virustotal.com/nb/file/bebfbec521bea1c745533758908fc122fd1edca6ba54277fcce2d219832babdf/analysis/

0 Helpful

stephan
Level 1
Level 1

‎11-11-2015 09:26 AM

I dont think they are false positive they have weird names

0 Helpful

masmith0324
Level 1
Level 1

‎11-11-2015 05:46 PM

I've received same.  Opened case about 12 hours ago.  They said Talos was investigating and then i started seeing them come back as clean.  But then again this afternoon the alerts kicked up again.  I believe you can reproduce by having a system go out to microsoft and check for updates.  it's definitely related to the patches that were release by microsoft yesterday

0 Helpful

Corey Melhus
Level 1
Level 1

‎11-12-2015 01:32 PM

This thread has some more info including acknowledgement that these are false positives from TAC: https://supportforums.cisco.com/discussion/12702996/amp-blocking-windows-updates

0 Helpful

masmith0324
Level 1
Level 1
In response to Corey Melhus

‎11-12-2015 01:57 PM

yes I've received same canned answer.  Still getting alerts so I guess updates havent propagated out yet.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card