topic Re: Suspicious smss.exe Parent Process in Endpoint Security

Suspicious smss.exe Parent Process

jeremy.peace-hall — Tue, 12 Sep 2023 14:47:24 GMT

We are getting hundreds of these threat detections this morning in our environment. These are all considered "low" and the smss.exe file is clean (SHA-256: 56afe5133fdc5806ec6b19436f7b55f1499cfc94619740c171424fbcf7808fd3)

Seems to be triggered at logon. Anyone else seeing these? Suspect a false positive. All scans have come back clean

Re: Suspicious smss.exe Parent Process

GJ.NoscoICT — Tue, 12 Sep 2023 16:21:34 GMT

Same here. Triaged the workstations and didn't find anything suspicious.

Re: Suspicious smss.exe Parent Process

Roman Valenta — Tue, 12 Sep 2023 17:30:26 GMT

We are currently looking in to this issue internally and investigating the event as it seems to be FP event triggered by Behavioral Protection.

Re: Suspicious smss.exe Parent Process

noahigros — Tue, 12 Sep 2023 18:14:01 GMT

Would i need to continuously check on this post in order to look for a solution? Also getting dozens of these alerts as of this morning.

Re: Suspicious smss.exe Parent Process

Roman Valenta — Tue, 12 Sep 2023 19:57:22 GMT

Can you guys please confirm the connector version on which you receiving this alert?

Re: Suspicious smss.exe Parent Process

RHauke — Tue, 12 Sep 2023 20:00:36 GMT

Started seeing this shortly after upgrading to 8.2.1.21612.

Re: Suspicious smss.exe Parent Process

noahigros — Tue, 12 Sep 2023 20:00:45 GMT

8.2.1.21612 is the version for all those connectors. We have about 60 alerts for this incident.

Re: Suspicious smss.exe Parent Process

Ken Stieers — Tue, 12 Sep 2023 20:01:51 GMT

Hey Roman,
Seeing it on 8.2.1.21612,
SMSS and wininit.exe are both throwing it.

Ken

Re: Suspicious smss.exe Parent Process

Roman Valenta — Tue, 12 Sep 2023 20:12:16 GMT

Thanks that's what I thought just wanted to be sure. Based on the response in our internal ticket at this time we believe this is only affecting AMP Version: 8.2.1.21612. The likely reason appears to be a BP build issue which we are working to resolve as soon as possible. I will keep you guys updated once anything new comes up.

Re: Suspicious smss.exe Parent Process

noahigros — Tue, 12 Sep 2023 20:15:31 GMT

thank you, Roman. Would it be okay to resolve the alerts? or should we keep them open until your team says we are good? I appreciate it.

Re: Suspicious smss.exe Parent Process

thomasleite — Wed, 13 Sep 2023 06:16:16 GMT

We are currently on version 8.1.7.21585 and we are also getting some of these.

Re: Suspicious smss.exe Parent Process

tbrobech — Thu, 14 Sep 2023 08:08:26 GMT

HI Roman,
Do you have an up date on the progress?

THomas

Re: Suspicious smss.exe Parent Process

Roman Valenta — Thu, 14 Sep 2023 13:15:35 GMT

I look up the escalation ticket and as of this morning the team that is working on this reported that they are still working in the back end to sort it out this issue. As of right now this would be most likely mitigated with new BP signature update.

As more cases arrived we got some data to provide them including some artifacts as well so hopefully the resolution will be soon. I will let you guys know once I know little bit more than this.

As far for 8.1.7.21585 we did got couple cases regarding this release as well and since this is related to newer BP signature update it's expected.

Thank you guys for your patience we are staying on top of this and trying to resolve this matter as soon as we can.

Re: Suspicious smss.exe Parent Process

jkoch2 — Thu, 14 Sep 2023 14:58:07 GMT

For my organization, this began once I approved Endpoint Security Client ver 8.2.1.21612 2 days ago.

Re: Suspicious smss.exe Parent Process

Roman Valenta — Thu, 14 Sep 2023 19:34:57 GMT

Hey Guys I just checked my home PC with 8.2.x installed and I noticed my last event was on 9/12 since then there was 3 BP signature updates and no more events. The latest one has serial # 11044. If anyone still receiving these alerts can you please check your BP definition on the machine that still reports this issue?

You can do that via CMD line just navigate to the AMP directory and run : ampcli posture

C:\WINDOWS\system32>cd C:\Program Files\Cisco\AMP\8.2.1.21612 C:\Program Files\Cisco\AMP\8.2.1.21612>ampcli posture {"agent_uuid":"cxxxxxe-4294-8xx5-f306xxxxxxea9","connected":true,"connector_version":"8.2.1","engines":[{"definitions":[{"last_successful_update":1694717388,"name":"Tetra","timestamp":1694698347,"version":91242}],"enabled":true,"name":"Tetra"},{"enabled":true,"name":"Spero"},{"enabled":true,"name":"Ethos"},{"definitions":[{"name":"BP","timestamp":1694717956,"version":11044}],"enabled":true,"name":"BP"},{"definitions":[{"name":"SCS","timestamp":1694717910,"version":11044}],"enabled":true,"name":"SCS"}],"last_scan":1694703038,"last_scan_status":true,"protect_file_mode":true,"protect_process_mode":true,"running":true} C:\Program Files\Cisco\AMP\8.2.1.21612>

Then look for the line:

"name":"BP","timestamp":1694717956,"version":11044 << ------------------

Nobody yet responded to our escalation ticket but I guess its due to different time zone that these guys work in based on the time they usually respond back.

Re: Suspicious smss.exe Parent Process

jeremy.peace-hall — Thu, 14 Sep 2023 19:42:29 GMT

Some of our clients just started to update to 11044. We are still getting a bunch of these smss.exe detections but all of them are on clients still running 11011. Hopefully by tomorrow morning these will cease as the clients get the new definition update (11044). Thanks

Re: Suspicious smss.exe Parent Process

Roman Valenta — Thu, 14 Sep 2023 19:49:41 GMT

So it now confirmed as well. We just got another update that they did release BP update late last night to resolve the remaining signatures that were still causing FPs for some of our customers.

Re: Suspicious smss.exe Parent Process

noahigros — Thu, 14 Sep 2023 19:54:46 GMT

Hey Roman,

per your update confirming that they did release a new BP update to resolve the remaining signatures that were causing FPs. Will this mean i can resolve the ones i have now?

Re: Suspicious smss.exe Parent Process

Bbailey2 — Thu, 14 Sep 2023 20:20:44 GMT

Here's my output @Roman Valenta

C:\Program Files\Cisco\AMP\8.2.1.21612>ampcli posture
"connected":true,"connector_version":"8.2.1","engines":[{"definitions":[{"last_successful_update":1694717002,"name":"Tetra","timestamp":1694698347,"version":91242}],"enabled":true,"name":"Tetra"},{"enabled":true,"name":"Spero"},{"enabled":true,"name":"Ethos"},{"definitions":[{"name":"BP","timestamp":1694720952,"version":11044}],"enabled":true,"name":"BP"},{"definitions":[{"name":"SCS","timestamp":1694720935,"version":11044}],"enabled":true,"name":"SCS"}],"last_scan":1692637158,"last_scan_status":true,"protect_file_mode":true,"protect_process_mode":true,"running":true}

Re: Suspicious smss.exe Parent Process

Roman Valenta — Fri, 15 Sep 2023 12:04:01 GMT

You mean resolve them in your Inbox? if so then YES.