https://community.cisco.com/t5/endpoint-security/false-positive-communications/m-p/4617561#M6897 <P>Early on 5\21\2022, Cisco Endpoint Protection trapped this event:&nbsp; 'detected a Cloud IOC: Executed Malware IOC'. It was classed as 'AMADEY' Malware.&nbsp; Because it was classified as a HIGH threat, and we have automated actions enabled, the affected computers were all ISOLATED from the network.&nbsp; That got attention.</P><P>&nbsp;</P><P>By 4 PM the same day, the conviction was overturned and the computers with the detections attempted a RETROSPECTIVE RESTORE FROM QUARANTINE.&nbsp;&nbsp;</P><P>&nbsp;</P><P>That is it.&nbsp; No explanation, no post anywhere that I can locate and reference in my RCA to close out the event.</P><P>Some person or process made a decision to reverse this conviction.&nbsp; The detail of the rationale and subsequent actions should be communicated.&nbsp; Possibly update the File Analysis details for the specific file(hash)?</P><P>&nbsp;</P><P>Filename Magic&nbsp;Type File TypeSHA256SHA1MD5</P><TABLE><TBODY><TR><TD><DIV class="">chrome.exe</DIV></TD></TR><TR><TD>PE32+ executable (GUI) x86-64, for MS Windows</TD></TR><TR><TD>exe</TD></TR><TR><TD><SPAN class="">f342af2b1e3dd9ba90c10f643ec1f50459efbb5912496e8ac553682c2b7a9f6e</SPAN></TD></TR><TR><TD><SPAN class="">6a2a2427cf1d888cb40a18527478c84dedf1db61</SPAN></TD></TR><TR><TD><SPAN class="">7f916511a313837efcde9e4112a64e5b</SPAN></TD></TR></TBODY></TABLE> Wed, 25 May 2022 12:27:26 GMT ScottHolland26866 2022-05-25T12:27:26Z https://community.cisco.com/t5/endpoint-security/false-positive-communications/m-p/4617561#M6897 <P>Early on 5\21\2022, Cisco Endpoint Protection trapped this event:&nbsp; 'detected a Cloud IOC: Executed Malware IOC'. It was classed as 'AMADEY' Malware.&nbsp; Because it was classified as a HIGH threat, and we have automated actions enabled, the affected computers were all ISOLATED from the network.&nbsp; That got attention.</P><P>&nbsp;</P><P>By 4 PM the same day, the conviction was overturned and the computers with the detections attempted a RETROSPECTIVE RESTORE FROM QUARANTINE.&nbsp;&nbsp;</P><P>&nbsp;</P><P>That is it.&nbsp; No explanation, no post anywhere that I can locate and reference in my RCA to close out the event.</P><P>Some person or process made a decision to reverse this conviction.&nbsp; The detail of the rationale and subsequent actions should be communicated.&nbsp; Possibly update the File Analysis details for the specific file(hash)?</P><P>&nbsp;</P><P>Filename Magic&nbsp;Type File TypeSHA256SHA1MD5</P><TABLE><TBODY><TR><TD><DIV class="">chrome.exe</DIV></TD></TR><TR><TD>PE32+ executable (GUI) x86-64, for MS Windows</TD></TR><TR><TD>exe</TD></TR><TR><TD><SPAN class="">f342af2b1e3dd9ba90c10f643ec1f50459efbb5912496e8ac553682c2b7a9f6e</SPAN></TD></TR><TR><TD><SPAN class="">6a2a2427cf1d888cb40a18527478c84dedf1db61</SPAN></TD></TR><TR><TD><SPAN class="">7f916511a313837efcde9e4112a64e5b</SPAN></TD></TR></TBODY></TABLE> Wed, 25 May 2022 12:27:26 GMT https://community.cisco.com/t5/endpoint-security/false-positive-communications/m-p/4617561#M6897 ScottHolland26866 2022-05-25T12:27:26Z https://community.cisco.com/t5/endpoint-security/false-positive-communications/m-p/4618550#M6898 <P>Oh boy, do I feel silly.&nbsp; I just found this in one of my sorted email folders.&nbsp; It arrived on Saturday 5/21, in a very timely manner.&nbsp; It was my fault for not handling those notifications correctly.&nbsp; Anyone know where to send apologies to Cisco?</P><P>&nbsp;</P><P>Hello Scott Holland,</P><P>Cisco Secure Endpoint Announcement - "Chrome.exe" False Positive:</P><P>Cisco is aware of the false positive detection related to chrome.exe. The single SHA256 involved is f342af2b1e3dd9ba90c10f643ec1f50459efbb5912496e8ac553682c2b7a9f6e. The file disposition has been updated, and Cisco is investigating root cause. We apologize for the inconvenience caused.</P><P>&nbsp;</P><P>You are receiving this email because you have subscribed to Secure Endpoint Announcements. If you feel you have received this email in error or need assistance, go <A href="https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmycase.cloudapps.cisco.com%2F&amp;data=05%7C01%7CSHolland%40courts.state.nh.us%7C433cdbc3cbdf4a02b36b08da3b4f8d9d%7C4b263663fabf4b6db730af1c06efff28%7C0%7C0%7C637887510119325426%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&amp;sdata=BoivLKGQLpt321CPFVzHTuw1PnkR%2FNHRAO7U1eBqV%2Bk%3D&amp;reserved=0" target="_blank">here</A> to open a support case.</P><P>&nbsp;</P><P>Thank you.</P><P>Cisco Secure Endpoint</P> Thu, 26 May 2022 12:09:37 GMT https://community.cisco.com/t5/endpoint-security/false-positive-communications/m-p/4618550#M6898 ScottHolland26866 2022-05-26T12:09:37Z