Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7215
Views
1
Helpful
5
Replies

The System Process Protection engine prevented unexpected access to winlogon.exe by RunLiveUpd.exe.

matblo
Level 1
Level 1

‎01-06-2019 10:02 PM - edited ‎02-20-2020 09:07 PM

Hi.

We have computers with Cisco AMP installed.

And in the AMP console we get flodded with this kind of messages:

 
The System Process Protection engine prevented unexpected access to winlogon.exe by RunLiveUpd.exe.
 
Seems to be connected to the 3/4G modems/software on some computers. They are scanned and nothing suspissius is found.
How should we manage them so we do not get this flag everyday? Shows up as a lot of infected computers when reality is alot less...  No option to white list. 
 
amp.PNG
5 people had this problem
Labels:
0 Helpful
5 Replies 5

jmarcel2
Level 1
Level 1

‎01-06-2019 10:39 PM

Hey,

 

We have same issue with the rbtmon.exe process (riverbed mobile client). I have opened TAC case due to that, and Cisco answer is that they know that this is a false positive, but there is no option to whitelist it yet. Cisco will cover this issue to the end of January with AMP update.

 

You can mute that alert to prevent getting alert by clicking at the bell icon.

 

 

Muted alert.png

0 Helpful

Sunil Kumar
Cisco Employee
Cisco Employee
In response to jmarcel2

‎01-06-2019 10:42 PM

For more details:

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvn30222/?reffering_site=dumpcr

 

Regards,

Sunil Kumar

0 Helpful

Troja007
Cisco Employee
Cisco Employee

‎01-06-2019 11:08 PM - edited ‎01-06-2019 11:14 PM

Hello,

first of all a scan exclusion should stop flooding you with the messages.

Bildschirmfoto 2019-01-07 um 08.04.59.png

 

 

 

 

I also recommend to generate a Client Snapshot and open a TAC Case. Just open one computer in the computer management where you see such events. Click on the "Diagnose Button". This enables debugging mode on the client and the result is automatically uploaded to your AMP console.

 

As @Sunil Kumar already explained, also looks like we have a BUG here to.

 

Hope this helps,

Cheers

jmarcel2
Level 1
Level 1
In response to Troja007

‎01-06-2019 11:20 PM

Thanks for your hint but in that case exceptions don't work. We already tried them. See official reply from cisco TAC

 

This is XXX from Cisco TAC.

Now on I will be assisting you on this service request. Based on case notes I see that you have issues with SPP reporting events which are false positive and excluding or white listening want help. This behaviour is described by two known defect affecting SPP. At the moment the only workaround would be to disable SPP process. The fix should come with the next release 6.2.5 planed for mid/end January.

 

Cheers

Marcel

0 Helpful

joljol
Level 1
Level 1

‎10-24-2022 12:29 AM

HI all, I am having this issue, constantly getting alerts on this on RunLiveUpdate.exe (4g modem software) and DCCDataHelper.exe (Lenovo driver software). Both have been determined to be safe.

Tried to exclude as @Troja007 suggested but to no avail. It does not seem to have any affect. But maybe I am not doing it right?

The endpoints below are running v. 8 of the connector, so the bug mentioned earlier should not be relevant, should it?

joljol_0-1666595811541.png

joljol_1-1666596345872.png

joljol_2-1666596516738.png

 

 

0 Helpful
Customers Also Viewed These Support Documents