This is not new believe it or not. These windows updates have been reported months ago to Meraki. I have an open ticket from months ago trying to figure this out. Meraki on the backend is reporting these as malware, but it wasnt being reported to the dashboard and/or email alerts. Something changed today and now its actually reporting so I might finally have some resolution to my open ticket.
How I discovered the problem is that I enabled syslog logging and sent all my logs to papertrail. I then setup an alert on when malware was downloaded and I kept getting these alerts in papertrail. Heres the original ticket.
There was never a resolution, meraki support could not help and they said their backend team was involved with the case. I was never able to forcibly recreate the issue, so they were never able to resolve it. This was happening across many clients with the same error/issue.
Heres a sample from 2 days ago from my papertrail app that went unreported to the dashboard and/or email alert.
Apr 11 10:20:04 98.151.19.171 logger <134>1 1681244404.194824387 OLGC_Firewall security_event security_filtering_file_scanned url=http://1d.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/ade20ec6-c563-480b-ad73-40580d3f2b72?P1=1681245007&P2=404&P3=2&P4=X4AhVcAJt9jaRV%2fQCoOfA68Y3tgXZY4Hhvr8JWM6pe5%2fEIEDZAOWhdj0CK60cr4uGAgFEfe0%2b5r5q7kjJ%2foh3w%3d%3d src=192.168.1.192:54486 dst=209.197.3.8:80 mac=30:D1:6B:F1:7E:E7 name='' sha256=fc46caae796a5bfe5eb2a814d8f97fc91e6f710f68ca00832ccd7171fb550151 disposition=malicious action=block
I think my issue might finally get resolved now that its reporting to the dashboard and/or email alerts and its widespread.
Ya looking at the timeline in my security tools on one of the devices supposedly affected there is nothing going on except for attempts at windows updates.
so unless MS is compromised this is almost certainly a false positive
This is not new believe it or not. These windows updates have been reported months ago to Meraki. I have an open ticket from months ago trying to figure this out. Meraki on the backend is reporting these as malware, but it wasnt being reported to the dashboard and/or email alerts. Something changed today and now its actually reporting so I might finally have some resolution to my open ticket.
How I discovered the problem is that I enabled syslog logging and sent all my logs to papertrail. I then setup an alert on when malware was downloaded and I kept getting these alerts in papertrail. Heres the original ticket.
There was never a resolution, meraki support could not help and they said their backend team was involved with the case. I was never able to forcibly recreate the issue, so they were never able to resolve it. This was happening across many clients with the same error/issue.
Heres a sample from 2 days ago from my papertrail app that went unreported to the dashboard and/or email alert.
Apr 11 10:20:04 98.151.25.111 logger <134>1 1681244404.194824387 Firewall security_event security_filtering_file_scanned url=http://1d.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/ade20ec6-c563-480b-ad73-40580d...?P1=1681245007&P2=404&P3=2&P4=X4AhVcAJt9jaRV%2fQCoOfA68Y3tgXZY4Hhvr8JWM6pe5%2fEIEDZAOWhdj0CK60cr4uGAgFEfe0%2b5r5q7kjJ%2foh3w%3d%3d src=192.168.1.192:54486 dst=209.197.3.8:80 mac=30:D1:6B:F1:7E:E7 name='' sha256=fc46caae796a5bfe5eb2a814d8f97fc91e6f710f68ca00832ccd7171fb550151 disposition=malicious action=block
I think my issue might finally get resolved now that its reporting to the dashboard and/or email alerts and its widespread.
