topic Re: Virus/Win32.WGeneric.esuykr(752144200) via filename=msvcp140_2_app.dll in General Topics

Virus/Win32.WGeneric.esuykr(752144200) via filename=msvcp140_2_app.dll

becksyboy — Mon, 24 Nov 2025 10:39:49 GMT

Hi All,

we have had a large amount of the following alerts via this filename. We think it could be related to a Microsoft update. Has anyone else seen this?

Virus/Win32.WGeneric.esuykr(752144200) via filename=msvcp140_2_app.dll

Re: Virus/Win32.WGeneric.esuykr(752144200) via filename=msvcp140_2_app.dll

S.Operator225554 — Mon, 24 Nov 2025 13:01:13 GMT

Hi Becksyboy,

I do not have answer but I am wondering myself about it. I can see several alerts in last 2 days concerning what you described - on several endpoints but no information is found. Only place on the Internet I see about this issue is this community thread. Despite action being BLOCKED_9 - I do not see any usefull information.

Re: Virus/Win32.WGeneric.esuykr(752144200) via filename=msvcp140_2_app.dll

MattVanEpps — Mon, 24 Nov 2025 15:59:15 GMT

Having the same issue. Thousands of alert emails. All the same Virus/Win32.WGeneric.esuykr(752144200) with misc: 206.206.85.202/filestreamingservice/files/9683459a-02fa-4bd6-9ae6-af8ddfbeef35?P1=1764000338&P2=404&P3=2&P4=YDDgm/xWLBt72w75YAeGr9xQrqK8hDBIUmysmppuEA4LGHQH05HpVTdDCdlt1nw+5ewnbPKWuH1bhYnl4pa5Jw==&cacheHostOrigin=2.tlu.dl.delivery.mp.microsoft.com. It looks like just about every computer on the inside of this network have triggered the alert.

Re: Virus/Win32.WGeneric.esuykr(752144200) via filename=msvcp140_2_app.dll

josh.weeden — Mon, 24 Nov 2025 18:15:50 GMT

Any updates on this? I also had it trigger on a couple other files, such as WindowsAdvancedSettings.exe but coming from the same ip of 216.74.105.201

Re: Virus/Win32.WGeneric.esuykr(752144200) via filename=msvcp140_2_app.dll

sounetworksupport — Mon, 24 Nov 2025 18:26:13 GMT

I think these were false positives. Try installing the 5381-5907 A/V updates from this morning. That put a stop to these detections for us.

If you pull up the Threat IDs in the Threat Vault, you'll see where they removed the definitions in the 5381-5907 update. For example, look at https://threatvault.paloaltonetworks.com/?query=752144200

In Current Release: No

Last Release: 5380 (2025-11-23 UTC)

First Release: 5379 (2025-11-22 UTC)

Re: Virus/Win32.WGeneric.esuykr(752144200) via filename=msvcp140_2_app.dll

SYoung14 — Mon, 24 Nov 2025 20:19:13 GMT

We are seeing the same behavior.

If this is actually a false positive against a legitimate Microsoft update, then:

Why is Microsoft making our computers get DLL files over an unencrypted HTTP connection? (Geez, Microsoft)
Why aren't they using their own MSFT netblocks instead of a 3rd party CDN / colocation company (Colocation America Corporation)
Why is this behavior happening on computers with Windows updates turned OFF

In addition, we noticed the following two additional "files":

216.74.105.204{{{{/}}}}filestreamingservice/files/9683459a-02fa-4bd6-9ae6-af8ddfbeef35?P1=1763926133&P2=404&P3=2&P4=GOZXCewqQuAo9xaOkFUJus8cWmvuRRYqUNIXAp7bl5iI7duymC/li00a7kgIX9MFwBnbDuFTOB9pL7I18kZ2Gg==&cacheHostOrigin=2.tlu.dl.delivery.mp.microsoft.com

Re: Virus/Win32.WGeneric.esuykr(752144200) via filename=msvcp140_2_app.dll

V.Sambath — Wed, 26 Nov 2025 10:46:46 GMT

We are also experiencing the same issue. Has anyone been able to confirm whether this is a false positive, or if any action is required?

Re: Virus/Win32.WGeneric.esuykr(752144200) via filename=msvcp140_2_app.dll

ymiyashita — Thu, 27 Nov 2025 00:54:01 GMT

It was a false positive. As you can see on Threat vault, the signature was already disabled.
https://threatvault.paloaltonetworks.com?query=752144200

==> Status: inactive

Reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oNA9CAM