topic Re: W32.MAP.Ransomware.rwd. in Endpoint Security

W32.MAP.Ransomware.rwd.

Paladin — Fri, 03 Sep 2021 13:40:21 GMT

Sha 256 e5dccb33478bf13629d0a3f0ba7daceb56d7792e0132886ed129334ec6bb2a33 detected by MAP and convicted as

W32.MAP.Ransomware.rwd. Found this post https://quickview.cloudapps.cisco.com/quickview/bug/CSCvq59864, my Connector version is 7.4.1.20439. Not a known affected version. False positive?

Medium

2021-09-03 12:40:43 UTC

MAP detected d8e57517-45af-4d42-a2f1-7844fb9956ae.exe, Sontheim Components-1.07.6504-12 - #12 Full 12.0.21175.732 (e5dccb33…c6bb2a33) as W32.MAP.Ransomware.rwd.

by AGCOUpdateService.exe, AGCOUpdateService for .NET 4.6.2 1.21.7684.29091 (87eb220c…22037f3b)[Unknown] executing as SYSTEM@NT AUTHORITY.

The file was not quarantined. Error: Cannot delete file.

Affected Files Count: 5

Affected Files:

C:\Windows\Temp\d5ed4260-0cb4-11ec-4823-4bb689ee0029\deltapackage\1\9

C:\Windows\Temp\d5ed4260-0cb4-11ec-4823-4bb689ee0029\deltapackage\1\10

C:\Windows\Temp\d5ed4260-0cb4-11ec-4823-4bb689ee0029\deltapackage\1\12

C:\Windows\Temp\d5ed4260-0cb4-11ec-4823-4bb689ee0029\deltapackage\1\11

C:\Windows\Temp\d5ed4260-0cb4-11ec-4823-4bb689ee0029\deltapackage\1\13

File full path: C:\ProgramData\AGCO Corporation\AGCO Update\d8e57517-45af-4d42-a2f1-7844fb9956ae.exe

File SHA-1: ae4ddbe24fb08d39791918d2a0ca8c94ab5de8f0.

File MD5: 075e4668ceca61859906d5288fbfd702.

File size: 183808096 bytes.

File signed by AGCO Corporation with certificate serial 2 from thawte SHA256 Code Signing CA. Expires NaN:NaN:NaN, NaN 0NaN UTC. the certificate was warn trusted

Parent file SHA-1: efff229cbfa81dd4d4f35f5adaae0bbd100667f0.

Parent file MD5: 4ecbfbc987d8072846c6115b028dc471.

Parent file size: 1938344 bytes.

Parent file age: 0 seconds.

Parent file signed by AGCO Corporation with certificate serial 2 from thawte SHA256 Code Signing CA. Expires NaN:NaN:NaN, NaN 0NaN UTC. the certificate was warn trusted

Parent file cert MD5: b1bcf6b5b1954a4dd1cb0de00cfbe3ba.

Parent file cert SHA-1: 159bf94e915ba45752d31b62979a3acf93bea108.

Parent process id: 5340.

Parent process SID: S-1-5-18 (Local System).

Re: W32.MAP.Ransomware.rwd.

Wojciech Cecot — Mon, 13 Sep 2021 07:47:56 GMT

Hello Paladin,

bug CSCvq59864 was fixed and shouldn't affect any 7.x or later Secure Endpoint connectors. Regarding detection that you see, it is related to MAP engine (Malicious Activity Protection) rule “rwd”: reading, writing and deleting a set of files within short span of time. That happens with some softwares, especially during update. If you are certain that is legitimate software you can always create exclusion of following type: Process > Malicious Activity (for MAP engine) by using either Path of SHA.

Hope that help

Wojciech

Re: W32.MAP.Ransomware.rwd.

tiaandra — Tue, 20 May 2025 11:15:05 GMT

I have secure endpoint > 7.x but still having this issue.

Can you clarify how I set the exclusion ?

Cisco Secure Client 5.1.7.1336

(Tue May 20 12:13:17 2025)

Secure Endpoint 8.2.3.30119

Re: W32.MAP.Ransomware.rwd.

Roman Valenta — Tue, 20 May 2025 13:46:38 GMT

This is over 4yrs old threat about specific FP event. When you saying that you have the same issue what exactly you referring to?

Lastly if you need to apply sets of exclusions you need to have access to the Secure Endpoint Dashboard and be the administrator in that ORG.

Re: W32.MAP.Ransomware.rwd.

tiaandra — Tue, 20 May 2025 17:02:39 GMT

hi, I'm getting this error after I install Paint.NET - Free Software for Digital Photo Editing

I'm not an admin so I guess I'm stuck 😞 ?! do you know how I can request an exception to this ?

Re: W32.MAP.Ransomware.rwd.

Matthew Franks — Tue, 20 May 2025 17:45:23 GMT

For exceptions withing your organization, you'll have to reach out to one of your organization admins so they can determine the risk and add an exception if appropriate. That isn't something we can do for you.

Thanks,

Matt