Solved: Re: Malicious File Detected

Kelkar · ‎01-31-2024

Hello,

I have detected a file that was flagged by our Cisco Endpoint protection.

File Name: Get-NewLocalAdmin.ps1

Detection: W32.CFAB3E3BCA-95.SBX.TG

SHA 256: cfab3e3bca1517a535358cef7b206c65abb02470495ac929ca7b3ee0cfe3fab8

It looks like it spread across a lot of our computers and servers but it was denied. I have put it under the blocked application list.

I also found another file called "Set-LocalAdmin.ps1"

They were created in the ProgramData folder and the folder was called _Automation

I would like any advice if possible!

aleabrahao · ‎01-31-2024

Have more than one layer of protection, like a good antivirus for example.

Relying solely on the firewall does not guarantee good protection, nor does having a good antivirus.

The best thing you can do is “educate” users, create anti-phishing campaigns, etc.

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

aleabrahao · ‎01-31-2024

Have more than one layer of protection, like a good antivirus for example.

Relying solely on the firewall does not guarantee good protection, nor does having a good antivirus.

The best thing you can do is “educate” users, create anti-phishing campaigns, etc.

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Kelkar · ‎01-31-2024

Hello,

Thank you for the feedback. It turns out the issue was from our MSP running a script without notifying me 😑

Sorry for the trouble!