topic Re: Secure Endpoint flagged Newtonsoft.Json.dll as malicious in Endpoint Security

Secure Endpoint flagged Newtonsoft.Json.dll as malicious

mski7861 — Wed, 26 Apr 2023 11:32:12 GMT

This morning I started seeing retrospective quarantine failures for Newtonsoft.Json.dll. I see conflicting results when searching for this .dll. The SHA is SHA256: c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e

Re: Secure Endpoint flagged Newtonsoft.Json.dll as malicious

Ken Stieers — Wed, 26 Apr 2023 11:44:05 GMT

Me too.
Opened a Talos ticket, not the first so mine was auto-resolved. This isn't the first time they've flagged this file...

Re: Secure Endpoint flagged Newtonsoft.Json.dll as malicious

BGKYandrewlafavers — Wed, 26 Apr 2023 12:50:57 GMT

Same issue.. first time popping up for us this morning.

C:\Program Files\WindowsApps\Microsoft.6365217CE6EB4_102.2302.13003.0_x64__8wekyb3d8bbwe\MicrosoftSecurityApp\Newtonsoft.Json.dll

Re: Secure Endpoint flagged Newtonsoft.Json.dll as malicious

nacryer — Wed, 26 Apr 2023 13:12:38 GMT

We have this alert going off as well. seeing this as an optional process for Autodesk, Snagit, and visual studios depending on user downloads/packages. eager to hear talos's response.

Re: Secure Endpoint flagged Newtonsoft.Json.dll as malicious

pmedinac — Wed, 26 Apr 2023 13:29:32 GMT

Hello.

We have investigated about this SHA-256 (c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e) and found that this is a benign file, hence this file should now be allowed on your environment.

Since the file verdict was changed, the endpoints need some time to receive the last definitions, and may take up to 2 hours based on the policy configuration, other option is to update the policy and definitions manually from the Secure Endpoint UI.

Pedro M.

Re: Secure Endpoint flagged Newtonsoft.Json.dll as malicious

joljol — Thu, 27 Apr 2023 08:01:31 GMT

I'm still a Secure Endpoint newbie. We had the same alerts on a number of machines, and currently they are still showing in my inbox on the Secure Endpoint Dashboard under "Requires Attention". Are they supposed to get resolved automatically now that the file verdict was changed?

I know I can just manually resolve them, but I would like to know whether or not they are supposed to disappear automatically.

Re: Secure Endpoint flagged Newtonsoft.Json.dll as malicious

Roman Valenta — Thu, 27 Apr 2023 11:57:42 GMT

Hi,

No , it will not be removed from Inbox. Think of Inbox as your "un-opened / un-answerd mail" in your Outlook. Something that needs your attention and your manual interaction. Inbox events are also directly related to the "Heat Map" on your Dashboard and percentage number under "Compromised" What you need to do is navigate in to Inbox select all events that you don't want to deal with or you already reviewed and click on MARK RESOLVED. Those events will be then cleared out from the Heat MAP and Compromised %

Please note: that you can still find these events under "Events" tab for history purpose also note that all events are automatically removed and cleared once they more than 30 Days old.