Thanks for the update Kevin.

Jhun Banzuela · ‎05-14-2015

Please evaluate if the signature (6322) Microsoft Windows Information Disclosure Signature is OK as it seems I am receiving lots of false positives alert.

mhanson2004 · ‎05-15-2015

Same boat here, thousands of alerts all coming from either google or youtube.

Will someone from Cisco please check on this and report back?

Thank you.

Mike

kevin.blackburn · ‎05-15-2015

I as well have received 1000+ alerts from this one. The majority of the "attacker" IP addresses point back to google as well. If you look at what is actually triggering the alert (in my case at least) it shows every user trying to download "GoogleUpdateSetup.exe". One of the common URL's I am seeing is below:

https://dl.google.com/update2/1.3.27.5/GoogleUpdateSetup.exe

kevin.blackburn · ‎05-19-2015

Got a response on my TAC case. Confirmed that they are receiving a lot of tickets on this one and it is "definitely" a false positive and can be disabled safely. Developers are looking into a fix \ new signature release at this point.

Hope that helps!

mhanson2004 · ‎05-19-2015

Thanks for the update Kevin.

I wish the Cisco IPS group would responded more quickly to these type of issues. There can't be many of us still using their IPS, so their team is probably pretty lean.

Mike

kevin.blackburn · ‎05-22-2015

IPS signature 869.0 has been pushed and the emails have stopped. This alert should no longer be an issue. Thanks

wgorman · ‎05-15-2015

In my case, the signature is 6332/0, same description, 3k+ alerts, majority of sources are from Google.

Is this a false positive?

Please respond.