Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2726
Views
5
Helpful
0
Replies

AMP for Endpoints Simple Custom Detection quarantine event missing

Paladin
Level 1
Level 1

‎09-30-2021 11:19 AM

According to Cisco Secure Endpoint documentation:

” A Simple Custom Detection list is similar to a blocked list. These are files that you want to detect and quarantine. Not only will an entry in a Simple Custom Detection list quarantine future files, but through Retrospective it will quarantine instances of the file on any endpoints in your organization that the service has already seen it on.”  

I have added the hash SHA 256 49ebb7feff3bde78611e87adf6cf34b980284e8401c413f409dbb9e3b6d0b642 to  Simple Custom Detection list.  Cloud IOC: ExecutedMalware.ioc alert is still appearing. File is being detected by Simple_Custom_Detection and The file was not quarantined. Quarantine event missing message generates. Benign parent disposition is mentioned. Node belongs to protect policy with conviction modes listed below. Can someone please provide tips on how can I force quarantine? 

Operating System Connector Version Install Date   Definition Version Update Server

Windows 8.1 Enterprise 
7.4.5.20701 
2021-08-05 17:44:36 UTC 
  
TETRA 64 bit (daily version: 85783) 
tetra-defs.amp.cisco.com

 

driverupdate.exe, DriverUpdate 5.7.0.0 (49ebb7fe…b6d0b642)[PE_Executable] was Executed by explorer.exe, Microsoft® Windows® Operating System 6.3.9600.18460 (d2faf086…20844fae)[PE_Executable] .

Detected as Simple_Custom_Detection.

The file was not quarantined. Quarantine event missing.

Benign parent disposition.

File full path: c:\program files\driverupdate\driverupdate.exe

File SHA-1: 0a555ca92f6bebb71a511fd413d6a89c3cc8da3b.

File MD5: 3e63ff39aa3392d6865543f97bd3613f.

File size: 32502872 bytes.

File signed by Slimware Utilities Holdings, Inc. with certificate serial 3063b3a740c1cdfdf8bb9e6c331ad7de from VeriSign Class 3 Code Signing 2010 CA. Expired 23:59:59, Mon Jan 7 2019 UTC.

File cert MD5: 51d9a726e9b891ddd3171aa8cbc0e5c4.

File cert SHA-1: 33e24fe66e0117fdd4278699ad423ef2669fd258.

Parent file SHA-1: b642e9fcfac93f219d07bb6d530eb1de9efeb511.

Parent file MD5: ed6b4c95e2a6d67480b9dbb8a8e7d9b4.

Parent file size: 2755504 bytes.

Parent file signed by Microsoft Windows with certificate serial 33000000bce120fdd27cc8ee930000000000bc from Microsoft Windows Production PCA 2011. Expired 17:15:28, Fri Nov 18 2016 UTC.

Parent file cert MD5: 747a40b8593fdb7977bf60ba6f06778b.

Parent file cert SHA-1: e85459b23c232db3cb94c7a56d47678f58e8e51e.

 

amp123.PNG

AMP2.PNG

conviction modes.PNG

2 people had this problem
Labels:
0 Replies 0
Customers Also Viewed These Support Documents