topic Re: fp on svchost.exe on Windows 2019 servers? in Endpoint Security https://community.cisco.com/t5/endpoint-security/fp-on-svchost-exe-on-windows-2019-servers/m-p/4585555#M6792 <P>Having this on many of our Desktops and Servers.</P><P>&nbsp;</P> Mon, 04 Apr 2022 20:19:29 GMT philippaisley 2022-04-04T20:19:29Z fp on svchost.exe on Windows 2019 servers? https://community.cisco.com/t5/endpoint-security/fp-on-svchost-exe-on-windows-2019-servers/m-p/4585527#M6786 <P>Hey all,&nbsp;</P> <P>are you seeing an FP on svchost.exe?&nbsp; Mostly Cloud.IOCs...</P> <P>Ken</P> Mon, 04 Apr 2022 19:20:30 GMT https://community.cisco.com/t5/endpoint-security/fp-on-svchost-exe-on-windows-2019-servers/m-p/4585527#M6786 Ken Stieers 2022-04-04T19:20:30Z Re: fp on svchost.exe on Windows 2019 servers? https://community.cisco.com/t5/endpoint-security/fp-on-svchost-exe-on-windows-2019-servers/m-p/4585542#M6787 <P>We are seeing it on multiple windows machines</P> Mon, 04 Apr 2022 19:54:35 GMT https://community.cisco.com/t5/endpoint-security/fp-on-svchost-exe-on-windows-2019-servers/m-p/4585542#M6787 Brian.Cochran 2022-04-04T19:54:35Z Re: fp on svchost.exe on Windows 2019 servers? https://community.cisco.com/t5/endpoint-security/fp-on-svchost-exe-on-windows-2019-servers/m-p/4585551#M6789 <P>It has been flagged on all my servers, But no Windows desktop machines.</P><P>&nbsp;</P> Mon, 04 Apr 2022 20:01:27 GMT https://community.cisco.com/t5/endpoint-security/fp-on-svchost-exe-on-windows-2019-servers/m-p/4585551#M6789 jwilliams2 2022-04-04T20:01:27Z Re: fp on svchost.exe on Windows 2019 servers? https://community.cisco.com/t5/endpoint-security/fp-on-svchost-exe-on-windows-2019-servers/m-p/4585552#M6790 <P>Is this a false positive? A whole bunch of machines on our network are being isolated due to this event.&nbsp;</P> Mon, 04 Apr 2022 20:02:25 GMT https://community.cisco.com/t5/endpoint-security/fp-on-svchost-exe-on-windows-2019-servers/m-p/4585552#M6790 SReed2020 2022-04-04T20:02:25Z Re: fp on svchost.exe on Windows 2019 servers? https://community.cisco.com/t5/endpoint-security/fp-on-svchost-exe-on-windows-2019-servers/m-p/4585554#M6791 Thanks for the update.<BR /> Mon, 04 Apr 2022 20:12:21 GMT https://community.cisco.com/t5/endpoint-security/fp-on-svchost-exe-on-windows-2019-servers/m-p/4585554#M6791 jwilliams2 2022-04-04T20:12:21Z Re: fp on svchost.exe on Windows 2019 servers? https://community.cisco.com/t5/endpoint-security/fp-on-svchost-exe-on-windows-2019-servers/m-p/4585555#M6792 <P>Having this on many of our Desktops and Servers.</P><P>&nbsp;</P> Mon, 04 Apr 2022 20:19:29 GMT https://community.cisco.com/t5/endpoint-security/fp-on-svchost-exe-on-windows-2019-servers/m-p/4585555#M6792 philippaisley 2022-04-04T20:19:29Z Re: fp on svchost.exe on Windows 2019 servers? https://community.cisco.com/t5/endpoint-security/fp-on-svchost-exe-on-windows-2019-servers/m-p/4585556#M6793 <P>Seeing the same, only on 2016/2019 Windows servers.&nbsp;</P><P>Have undertaken what checks we can in the time and all coming back no threat.</P><P>Still digging.</P> Mon, 04 Apr 2022 20:21:08 GMT https://community.cisco.com/t5/endpoint-security/fp-on-svchost-exe-on-windows-2019-servers/m-p/4585556#M6793 soup_dragon 2022-04-04T20:21:08Z Re: fp on svchost.exe on Windows 2019 servers? https://community.cisco.com/t5/endpoint-security/fp-on-svchost-exe-on-windows-2019-servers/m-p/4585558#M6794 <P>Any update on this problem? We also have 2019 servers jumping into isolation mode regarding svchost fp.</P> Mon, 04 Apr 2022 20:30:12 GMT https://community.cisco.com/t5/endpoint-security/fp-on-svchost-exe-on-windows-2019-servers/m-p/4585558#M6794 Rene Mueller 2022-04-04T20:30:12Z Re: fp on svchost.exe on Windows 2019 servers? https://community.cisco.com/t5/endpoint-security/fp-on-svchost-exe-on-windows-2019-servers/m-p/4585561#M6795 <P>Cisco advise False Positive</P><P>Cisco Secure Endpoint Announcement - False Positive detection<BR />Cisco is aware of the false-positive detection related to svchost.exe. The single SHA-256 involved is cb19fd67b1d02......96cfe0ee0c6e45285436a1. The file disposition has been updated and Cisco is investigating the root cause. We apologize for any inconvenience this may have caused.</P> Mon, 04 Apr 2022 20:39:55 GMT https://community.cisco.com/t5/endpoint-security/fp-on-svchost-exe-on-windows-2019-servers/m-p/4585561#M6795 soup_dragon 2022-04-04T20:39:55Z Re: fp on svchost.exe on Windows 2019 servers? https://community.cisco.com/t5/endpoint-security/fp-on-svchost-exe-on-windows-2019-servers/m-p/4585563#M6796 I put in a file reputation request on TalosIntelligence.com<BR />Tweeted TalosIntelligence.<BR />Opened a TAC case.<BR /><BR /><BR /> Mon, 04 Apr 2022 20:42:21 GMT https://community.cisco.com/t5/endpoint-security/fp-on-svchost-exe-on-windows-2019-servers/m-p/4585563#M6796 Ken Stieers 2022-04-04T20:42:21Z Re: fp on svchost.exe on Windows 2019 servers? https://community.cisco.com/t5/endpoint-security/fp-on-svchost-exe-on-windows-2019-servers/m-p/4585577#M6797 If you investigate it using Cisco Threat Response it comes up marked as a "Common SHA-256 Hash"<BR />Nobody on Virus Total marks it bad.<BR />Malwares.com marks it good.<BR /><BR />Yeah... its an FP...<BR /><BR /> Mon, 04 Apr 2022 21:09:21 GMT https://community.cisco.com/t5/endpoint-security/fp-on-svchost-exe-on-windows-2019-servers/m-p/4585577#M6797 Ken Stieers 2022-04-04T21:09:21Z