topic Re: Base64JS.min.js in Endpoint Security

Base64JS.min.js

noahigros — Thu, 05 Oct 2023 19:49:27 GMT

Good afternoon,

we are using Cisco AMP with our connector version being 8.2.1.21612 and are receiving numerous alerts for a filename Base64JS.min.js. Is anybody else experiencing this? Previously we had a widespread issue with a smss.exe parent process that was found to be an issue with a new BP update on Cisco's end for the same connector version we are on now. Could this be related?

Re: Base64JS.min.js

Ken Stieers — Thu, 05 Oct 2023 19:55:32 GMT

Yep... started for me about 20 min ago.
I've opened a Talos file reputation case, but they closed it because the sha already existed in a ticket. (e.g. someone else already submitted it)

Re: Base64JS.min.js

chrisguerrero — Thu, 05 Oct 2023 19:56:22 GMT

I have 28 isolation events centered around this Base64JS.min.js detection. Can we get word if this is a false positive as we are running scans at the moment this stinks like a false positive.

Re: Base64JS.min.js

noahigros — Thu, 05 Oct 2023 20:03:43 GMT

thank you both for the input. @Ken Stieers , if you find any further information, please let me know.

Re: Base64JS.min.js

Bbailey2 — Thu, 05 Oct 2023 20:12:16 GMT

I am currently seeing the same issue in my console.

Re: Base64JS.min.js

Bbailey2 — Thu, 05 Oct 2023 20:23:05 GMT

I'm seeing retrospective detection and retrospective quarantine attempt failed for d2e82495607abf54f16e21de04d90ba9ce1605451667d88425babece988f148b

C:\adobeTemp\ETRDE65.tmp\2\x64\js\node_modules\base64-js\base64js.min.js

Re: Base64JS.min.js

_hAcKeR_kIllEr_ — Thu, 05 Oct 2023 20:41:37 GMT

I'm seeing retrospective detection and retrospective quarantine attempt failed on 100+ machines for d2e82495607abf54f16e21de04d90ba9ce1605451667d88425babece988f148b

/c:/adobetemp/etr37a4.tmp/2/x64/js/node_modules/base64-js/base64js.min.js

Two weeks ago we also experienced the sms.exe parent process issue at our organization.

Connector version 8.2.1.21612

Re: Base64JS.min.js

noahigros — Thu, 05 Oct 2023 20:57:09 GMT

For the retrospective quarantine attempt failure, that's a confusing feature. SEP will quarantine the initial event, but until the event is marked as resolved, it will continuously monitor it as still being present and search for the signature that no longer exists due to it already being handled. Thus resulting in a quarantine failure. You could always verify by going into the device trajectory and look for persistence on the same host, but in my experience it's never the case and very time consuming considering the number of alerts.

Re: Base64JS.min.js

Ken Stieers — Thu, 05 Oct 2023 21:04:32 GMT

Yep. That's the one I am seeing too.

Re: Base64JS.min.js

chad.preslar — Thu, 05 Oct 2023 21:38:06 GMT

Did they update you as to the status? it's been a few hours now since this started.

Re: Base64JS.min.js

The Security Guy — Fri, 06 Oct 2023 01:19:26 GMT

We're seeing this as well. Did you get any additional info from Cisco or Talos?

Re: Base64JS.min.js

xdumont — Fri, 06 Oct 2023 07:36:11 GMT

Hello, same problem here with base64js.min.js. Any news on your side?

Re: Base64JS.min.js

ventaran — Fri, 06 Oct 2023 09:15:10 GMT

The execution parent in my environment is setup.exe from Adobe. The Adobe setup.exe file is clean. This is most likely a false-positive. Lighting up my environment with this.

Re: Base64JS.min.js

xdumont — Fri, 06 Oct 2023 09:44:30 GMT

On our side it's the latest release of XMind for Windows https://xmind.app/download/

Re: Base64JS.min.js

ventaran — Fri, 06 Oct 2023 10:03:25 GMT

Hello Anthony,

Thank you for contacting us, I am Sara from ATS TAC, and I will be working with you on that case. From what I understand you would like to report a False Positive detection for base64js.min.js (d2e82495607abf54f16e21de04d90ba9ce1605451667d88425babece988f148b), correct me if wrong.

Please note that we are aware of this False Positive detection and this was already taken care of.

Talos has analyzed the file and deemed it benign. We have rectified the issue by changing the file disposition in Cisco Secure Endpoint, which effectively allows the customer to access the file. This update should be reflected on the customer’s appliance in the next 1-2 hours. The source of the conviction has been notified so that they can use this example to improve detection content, which will help prevent future false positives. Thank you for bringing this to our attention and let us know if you need further assistance.

Should you receive any recent detections, please proceed with updating your Connectors on the affected Endpoints. We apologize for any inconvenience this can cause.

Regards,

Re: Base64JS.min.js

Roman Valenta — Fri, 06 Oct 2023 13:44:57 GMT

The statement above is correct I just checked the internal ticket with TALOS and it was confirmed last night around 7pm EST that this is indeed FP event and will be removed from the detection list.

Re: Base64JS.min.js

dotran — Fri, 06 Oct 2023 14:25:33 GMT

I entered that hash into Talos and it still shows as UNKNOWN.

Re: Base64JS.min.js

noahigros — Fri, 06 Oct 2023 17:32:00 GMT

Final thoughts,

although we now have an accepted solution, for future reference you can also create an exclusion for events like this and apply it to your group policies. I personally don't tend to do that, as there is always the possibility of these events to be true and I wouldn't want to miss them. I've only done exclusions for very specific needs of an agency, but not an overarching file or action that's common across the board.

Re: Base64JS.min.js

dotran — Fri, 06 Oct 2023 17:39:38 GMT

That's what we did but prefer Cisco makes a public announcement and provide the updated signature files so the paying customers do not have to do any guess work.

Re: Base64JS.min.js

Roman Valenta — Fri, 06 Oct 2023 18:03:31 GMT

I do 100% agree with this statement. Secure Endpoint is definitely not "one click" solution there is many engines and factors that they play a big role in the final verdict and you guys have the power to control most of them. I also agree that FP events could be annoying and distracting but again SE is not just simple AV solution and in today world I rather be safe than sorry.

Also remember guys any doubts you have with False Positive or False Negative event TAC is here to help you and we treat these cases individually case by case. Most of them are resolved with in 24 hours from reporting, but there are cases like those caused by Exploit Prevention engine that are way more complicated than simple detection and those can take longer. So we appreciate the patience and support.