topic Re: TinyTurlaV2 Service Created - False positive detection in Endpoint Security

TinyTurlaV2 Service Created - False positive detection

Leijonbo — Tue, 27 Feb 2024 07:20:58 GMT

Today we see a lot of Threat detections that detect TinyTurlaV2 Service Created.

I just wonder if this has something to do with the False Positive Detections on Behaviorla Protection that Cisco annonsed yeasterday evening. It looks like this detections started at the same time so therefore my question.

Also found this question on TinyTurlaV2 Service : r/DefenderATP (reddit.com)

Re: TinyTurlaV2 Service Created - False positive detection

alexdeschrijver — Tue, 27 Feb 2024 09:10:38 GMT

did anyone got a response of Cisco's them self already?

Re: TinyTurlaV2 Service Created - False positive detection

Bunged — Tue, 27 Feb 2024 09:30:16 GMT

We saw the same thing in our environment.

Re: TinyTurlaV2 Service Created - False positive detection

tashe — Tue, 27 Feb 2024 09:16:14 GMT

Hello,

I just received confirmation from cisco tac support team that TinyTurlaV2 is a false positive detection.

"The Talos has already revoked affected signature versions and the connectors should be updating with the corrected signature bundle".

Re: TinyTurlaV2 Service Created - False positive detection

ventaran — Tue, 27 Feb 2024 11:13:00 GMT

You beat me to it. This has to stop. 50% of our endpoints are highlighted.

Re: TinyTurlaV2 Service Created - False positive detection

ventaran — Tue, 27 Feb 2024 11:12:36 GMT

Just got confirmation this is a FalsePositive as well

Re: TinyTurlaV2 Service Created - False positive detection

Ken Stieers — Tue, 27 Feb 2024 12:44:00 GMT

That is also a false positive.

Re: TinyTurlaV2 Service Created - False positive detection

joe5961 — Tue, 27 Feb 2024 13:18:13 GMT

We received notice from our Managed Service Provider who is partnered with Cisco. They acknowledged receiving word from Cisco that these were false positives. Cisco is supposed to be releasing an updated signature to correct the issue. Not sure when that will be. But it has created a lot of alerts on our end. Nerve racking.....

Re: TinyTurlaV2 Service Created - False positive detection

J Hefner — Tue, 27 Feb 2024 13:40:19 GMT

Has anyone else been able to trace what apps are triggering these False Positives? I was under the impression these were supposed to have been fixed 24 hours ago.

Re: TinyTurlaV2 Service Created - False positive detection

Roman Valenta — Tue, 27 Feb 2024 13:50:59 GMT

As long as your BP signature is updated you should be no longer receiving these false positive events. The fix was implemented yesterday but if for some reason (PC offline) you are still on the old BP signature you will continue receiving these alerts until the Signature is updated.

You can manually update through cmd line: C:\Program Files\Cisco\AMP\Your-Connector-Version\sfc.exe -forceApdeUpdate

First Seen: 2024-02-26 17:33:47
TinyTurlaV2-ServiceCreated

BP Signature 13381 fixes TinyTurlaV2-ServiceCreated issue

First Seen: 2024-02-26 09:28:00
System-Restore

BP Signature 13380 fixes the System-Restore issue

Hope this help....

Re: TinyTurlaV2 Service Created - False positive detection

hanculak — Tue, 27 Feb 2024 13:51:03 GMT

It seems that affected Behavioral Protection Signature Set is version 13357. As soon as signature set is updated to this version, events start coming. Signature set version 12887 seems to be safe.

Re: TinyTurlaV2 Service Created - False positive detection

Ken Stieers — Tue, 27 Feb 2024 13:53:00 GMT

The fix for the System Restore reg key went out yesterday afternoon, per discussion in the Secure Endpoint Webex team

Not sure if/when the TinyTurla fix went.

Re: TinyTurlaV2 Service Created - False positive detection

hanculak — Tue, 27 Feb 2024 13:56:31 GMT

According to our testing and other articles on web, sfc.exe -forceApdeUpdate updates only Tetra engine. BP engine signature set stayed the same.

Re: TinyTurlaV2 Service Created - False positive detection

Roman Valenta — Tue, 27 Feb 2024 14:48:14 GMT

Looks like our servers are overwhelmed with delayed jobs which might be the cause why the signatures are not updating. Note was just released in the portal to confirm the same...

Re: TinyTurlaV2 Service Created - False positive detection

Vince3889 — Tue, 27 Feb 2024 15:20:44 GMT

All configured email alerts stopped in our environment since this whole 2-false-positive mess began. Has anyone else experienced this as well? Did Cisco turn off email alerting anyone know?

Re: TinyTurlaV2 Service Created - False positive detection

emapsit — Tue, 27 Feb 2024 15:39:42 GMT

I received an alert 2024-02-2617:21UTC for the System Restore Disabled by Registry. After that nothing. Thought I was missing something with my alerts.

Re: TinyTurlaV2 Service Created - False positive detection

emapsit — Tue, 27 Feb 2024 15:49:44 GMT

Refreshed my inbox and found this alert. It wasn't there an hour ago but says it's been there for 8 hours.

Re: TinyTurlaV2 Service Created - False positive detection

Ken Stieers — Tue, 27 Feb 2024 15:50:32 GMT

I also haven't gotten anything from these...
Though I should have.
My subscription is still in place.

________________________________

This email is intended solely for the use of the individual to whom it is addressed and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If the reader of this email is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited.
If you have received this communication in error, please immediately notify us by telephone and return the original message to us at the listed email address.
Thank You.

Re: TinyTurlaV2 Service Created - False positive detection

Vince3889 — Tue, 27 Feb 2024 15:55:46 GMT

Thanks @emapsit & @Ken Stieers . Seeing these 2 messages now:

I guess this is like 'retrospective detections' but applied to system messages? I wanna rant so bad right now, this is testing the limits of self-control. 🙂

Re: TinyTurlaV2 Service Created - False positive detection

Ken Stieers — Tue, 27 Feb 2024 16:06:33 GMT

I hear you...
I think the whole pipeline of outbound data is clogged... Events, notifications, updates, everything...

________________________________

This email is intended solely for the use of the individual to whom it is addressed and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If the reader of this email is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited.
If you have received this communication in error, please immediately notify us by telephone and return the original message to us at the listed email address.
Thank You.