https://community.cisco.com/t5/endpoint-security/need-help-with-2-alerts/m-p/4814056#M7465 <P>Thanks, anyone know anything about the firefox detection? All our end points flagged firefox and it's currently blocked by AMP.</P> Thu, 13 Apr 2023 20:37:15 GMT FrankyB2 2023-04-13T20:37:15Z https://community.cisco.com/t5/endpoint-security/need-help-with-2-alerts/m-p/4814015#M7461 <P>Hello everyone, 1st post here, we have been receiving a lot of alerts regarding firefox, see #2. Also I would like to know if #1 is a false positive,</P><P>&nbsp;</P><P>Thanks for your help</P><P>&nbsp;</P><P>Secure Endpoint found a total of <STRONG>1</STRONG> events matching your subscription named <STRONG>Indications_of_compromised</STRONG> since 2023-04-13 13:25:47 UTC.</P><OL><LI>&nbsp;<UL><LI><STRONG>Event Type:</STRONG> Cloud IOC</LI><LI><STRONG>Computer:</STRONG> ld*e-laptop.*</LI><LI><STRONG>Hostname:</STRONG> ld*e-laptop.*</LI><LI><STRONG>IP:</STRONG>&nbsp;</LI><LI><STRONG>Detection:</STRONG> W32.082827C4A5.RET.SBX.TG</LI><LI><STRONG>File:</STRONG> MicrosoftEdge_X64_112.0.1722.39_112.0.1722.34.exe</LI><LI><STRONG>File path:</STRONG> file:///C%3A/Program%20Files%20%28x86%29/Microsoft/EdgeUpdate/Install/%7B411AF51C-D039-427C-8592-B0095C3613BF%7D/MicrosoftEdge_X64_112.0.1722.39_112.0.1722.34.exe</LI><LI><STRONG>Detection SHA-256:</STRONG> 082827c4a5582f887901c4cce83a1aa9b8a4eb23835a434fc104bba745172a85</LI><LI><STRONG>Application SHA-256:</STRONG> 9991ba022173f283ee99068b708f60ac5143fe0c81c9e3673cc7835b108a4f44</LI><LI><STRONG>Severity:</STRONG> High</LI><LI><STRONG>Timestamp:</STRONG> 2023-04-13 13:21:45 +0000 UTC</LI></UL></LI></OL><P>&nbsp;</P><P>2.&nbsp;</P><UL><LI><STRONG>Event Type:</STRONG> Exploit Prevention</LI><LI><STRONG>Computer:</STRONG> WKS-</LI><LI><STRONG>Hostname:</STRONG> WKS-</LI><LI><STRONG>IP:</STRONG>&nbsp;</LI><LI><STRONG>User:</STRONG>&nbsp;</LI><LI><STRONG>File:</STRONG> firefox.exe</LI><LI><STRONG>File path:</STRONG> C:\Program Files\Mozilla Firefox\firefox.exe</LI><LI><STRONG>Detection SHA-256:</STRONG> 5b2abf9947a12ff9cc3765e48d875d97752193fcbc5e2b89fdb3e138c3232568</LI><LI><STRONG>By Application:</STRONG> firefox.exe</LI><LI><STRONG>Application SHA-256:</STRONG> 5b2abf9947a12ff9cc3765e48d875d97752193fcbc5e2b89fdb3e138c3232568</LI><LI><STRONG>Timestamp:</STRONG> 2023-04-06 21:17:06 +0000 UTC</LI></UL> Thu, 13 Apr 2023 19:13:11 GMT https://community.cisco.com/t5/endpoint-security/need-help-with-2-alerts/m-p/4814015#M7461 FrankyB2 2023-04-13T19:13:11Z https://community.cisco.com/t5/endpoint-security/need-help-with-2-alerts/m-p/4814018#M7462 For sure the first one is a false positive, see other posts in the community from today.<BR />Should already be fixed in the backend.. now just waiting for it to propagate.<BR /> Thu, 13 Apr 2023 19:20:27 GMT https://community.cisco.com/t5/endpoint-security/need-help-with-2-alerts/m-p/4814018#M7462 Ken Stieers 2023-04-13T19:20:27Z https://community.cisco.com/t5/endpoint-security/need-help-with-2-alerts/m-p/4814056#M7465 <P>Thanks, anyone know anything about the firefox detection? All our end points flagged firefox and it's currently blocked by AMP.</P> Thu, 13 Apr 2023 20:37:15 GMT https://community.cisco.com/t5/endpoint-security/need-help-with-2-alerts/m-p/4814056#M7465 FrankyB2 2023-04-13T20:37:15Z https://community.cisco.com/t5/endpoint-security/need-help-with-2-alerts/m-p/4814067#M7466 <P>The Firefox SHA-256 (<SPAN>5b2abf9947a12ff9cc3765e48d875d97752193fcbc5e2b89fdb3e138c3232568</SPAN>) is not related to the FP event from today.</P> <P>Although this is an&nbsp;<SPAN>Exploit Prevention event, it is probably being generated because a 3rd party acting with Firefox and generating an unexpected behavior.</SPAN></P> <P>I suggest opening a TAC case to properly investigate. Our Cisco TAC team is ready to assist with the investigation.</P> <P>--</P> <P>Pedro M.</P> Thu, 13 Apr 2023 20:50:39 GMT https://community.cisco.com/t5/endpoint-security/need-help-with-2-alerts/m-p/4814067#M7466 pmedinac 2023-04-13T20:50:39Z