Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3694
Views
12
Helpful
21
Replies

Base64JS.min.js

Go to solution
noahigros
Level 1
Level 1

‎10-05-2023 12:49 PM

Good afternoon, 

we are using Cisco AMP with our connector version being 8.2.1.21612 and are receiving numerous alerts for a filename Base64JS.min.js. Is anybody else experiencing this? Previously we had a widespread issue with a smss.exe parent process that was found to be an issue with a new BP update on Cisco's end for the same connector version we are on now. Could this be related? 

14 people had this problem
Labels:
3 Accepted Solutions

Accepted Solutions

Go to solution
ventaran
Level 1
Level 1

‎10-06-2023 03:03 AM

Hello Anthony,

Thank you for contacting us, I am Sara from ATS TAC, and I will be working with you on that case. From what I understand you would like to report a False Positive detection for base64js.min.js (d2e82495607abf54f16e21de04d90ba9ce1605451667d88425babece988f148b), correct me if wrong.

Please note that we are aware of this False Positive detection and this was already taken care of.

Talos has analyzed the file and deemed it benign. We have rectified the issue by changing the file disposition in Cisco Secure Endpoint, which effectively allows the customer to access the file. This update should be reflected on the customer’s appliance in the next 1-2 hours. The source of the conviction has been notified so that they can use this example to improve detection content, which will help prevent future false positives. Thank you for bringing this to our attention and let us know if you need further assistance.

 

Should you receive any recent detections, please proceed with updating your Connectors on the affected Endpoints. We apologize for any inconvenience this can cause.

Regards,

View solution in original post

Go to solution
noahigros
Level 1
Level 1

‎10-06-2023 10:32 AM

Final thoughts,

although we now have an accepted solution, for future reference you can also create an exclusion for events like this and apply it to your group policies. I personally don't tend to do that, as there is always the possibility of these events to be true and I wouldn't want to miss them. I've only done exclusions for very specific needs of an agency, but not an overarching file or action that's common across the board.

View solution in original post

Go to solution
Roman Valenta
Cisco Employee
Cisco Employee
In response to noahigros

‎10-06-2023 11:03 AM

I do 100% agree with this statement.  Secure Endpoint is definitely not "one click" solution there is many engines and factors that they play a big role in the final verdict and you guys have the power to control most of them. I also agree that FP events could be annoying and distracting but again SE is not just simple AV solution and in today world I rather be safe than sorry.

Also remember guys any doubts you have with False Positive or False Negative event TAC is here to help you and we treat these cases individually case by case. Most of them are resolved with in 24 hours from reporting, but there are cases like those caused by Exploit Prevention engine that are way more complicated than simple detection and those can take longer. So we appreciate the patience and support.

 

 

View solution in original post

21 Replies 21

Go to solution
Ken Stieers
VIP
VIP

‎10-05-2023 12:55 PM

Yep... started for me about 20 min ago.
I've opened a Talos file reputation case, but they closed it because the sha already existed in a ticket. (e.g. someone else already submitted it)
0 Helpful

Go to solution
chad.preslar
Level 1
Level 1
In response to Ken Stieers

‎10-05-2023 02:38 PM

Did they update you as to the status? it's been a few hours now since this started. 

0 Helpful

Go to solution
chrisguerrero
Level 1
Level 1

‎10-05-2023 12:56 PM

I have 28 isolation events centered around this Base64JS.min.js detection. Can we get word if this is a false positive as we are running scans at the moment this stinks like a false positive.

0 Helpful

Go to solution
noahigros
Level 1
Level 1

‎10-05-2023 01:03 PM

thank you both for the input. @Ken Stieers , if you find any further information, please let me know.

0 Helpful

Go to solution
Bbailey2
Level 1
Level 1

‎10-05-2023 01:12 PM

I am currently seeing the same issue in my console. 

0 Helpful

Go to solution
Bbailey2
Level 1
Level 1

‎10-05-2023 01:23 PM

I'm seeing retrospective detection and retrospective quarantine attempt failed for d2e82495607abf54f16e21de04d90ba9ce1605451667d88425babece988f148b

C:\adobeTemp\ETRDE65.tmp\2\x64\js\node_modules\base64-js\base64js.min.js

 

 

0 Helpful

Go to solution
Ken Stieers
VIP
VIP
In response to Bbailey2

‎10-05-2023 02:04 PM

Yep. That's the one I am seeing too.
0 Helpful

Go to solution
_hAcKeR_kIllEr_
Level 1
Level 1

‎10-05-2023 01:41 PM

I'm seeing retrospective detection and retrospective quarantine attempt failed on 100+ machines for d2e82495607abf54f16e21de04d90ba9ce1605451667d88425babece988f148b

/c:/adobetemp/etr37a4.tmp/2/x64/js/node_modules/base64-js/base64js.min.js

Two weeks ago we also experienced the sms.exe parent process issue at our organization.

Connector version 8.2.1.21612

Go to solution
noahigros
Level 1
Level 1

‎10-05-2023 01:57 PM

For the retrospective quarantine attempt failure, that's a confusing feature. SEP will quarantine the initial event, but until the event is marked as resolved, it will continuously monitor it as still being present and search for the signature that no longer exists due to it already being handled. Thus resulting in a quarantine failure. You could always verify by going into the device trajectory and look for persistence on the same host, but in my experience it's never the case and very time consuming considering the number of alerts. 

0 Helpful

Go to solution
The Security Guy
Level 1
Level 1

‎10-05-2023 06:19 PM

We're seeing this as well. Did you get any additional info from Cisco or Talos?

0 Helpful

Go to solution
xdumont
Level 1
Level 1

‎10-06-2023 12:36 AM

Hello, same problem here with base64js.min.js. Any news on your side?

0 Helpful

Go to solution
ventaran
Level 1
Level 1

‎10-06-2023 02:15 AM

The execution parent in my environment is setup.exe from Adobe. The Adobe setup.exe file is clean. This is most likely a false-positive. Lighting up my environment with this.

0 Helpful

Go to solution
xdumont
Level 1
Level 1

‎10-06-2023 02:44 AM

On our side it's the latest release of XMind for Windows https://xmind.app/download/

Go to solution
ventaran
Level 1
Level 1

‎10-06-2023 03:03 AM

Hello Anthony,

Thank you for contacting us, I am Sara from ATS TAC, and I will be working with you on that case. From what I understand you would like to report a False Positive detection for base64js.min.js (d2e82495607abf54f16e21de04d90ba9ce1605451667d88425babece988f148b), correct me if wrong.

Please note that we are aware of this False Positive detection and this was already taken care of.

Talos has analyzed the file and deemed it benign. We have rectified the issue by changing the file disposition in Cisco Secure Endpoint, which effectively allows the customer to access the file. This update should be reflected on the customer’s appliance in the next 1-2 hours. The source of the conviction has been notified so that they can use this example to improve detection content, which will help prevent future false positives. Thank you for bringing this to our attention and let us know if you need further assistance.

 

Should you receive any recent detections, please proceed with updating your Connectors on the affected Endpoints. We apologize for any inconvenience this can cause.

Regards,

Customers Also Viewed These Support Documents