cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
16941
Views
16
Helpful
44
Replies

Chrome.exe exploit prevention events

benwe
Level 1
Level 1

I have over 500 alerts for chrome.exe exploit prevention alerts on all different devices in Secure Endpoint the past couple of days.

All the same hash

55c3f36080f2ddbf4c47d6685fa42333ee0172866a31c0f29c1797dc2954ab29

I have added that hash to the allow list and it still blowing up. 

Any ideas?

benwe_0-1683293197558.png

 

44 Replies 44

Thank you for the update Roman

Roman Valenta
Cisco Employee
Cisco Employee

Another quick update for you guys. As of right now there should be NO MORE EXPREV CHROME FALSE POSITIVES alerts showing in the portal. Please verify the same and let us know in case you have open TAC case as well.

 

i still had some as of 857AM CST this morning

benwe_0-1685541604077.png

 

I will continue to look out for them an update my TAC case accordingly. Thanks.

Thanks for the update. I think that is expected as it will take some time to populate across the cloud, but in general it should gradually start slowing down and you should see less and less as the day progress. Either way please keep an eye on that and let us know in your TAC case on the progress.

 

Hey Roman,

We do experience the same behaviour on one of our endpoint. (Connector 7.5.9, Chrome 114). Can you confirm that the exprev for Chrome is fully fixed? How should I proceed in order to fix the issue? Open TAC ?

thank you

Marcel

 

If this issue is still related to "kernel32.dll" Chrome ExPrev events I would suggest open a TAC case just so we can gather some additional data from your side. From what I understand majority events got resolved but there are still fever that we like to look at it. Also based on the few remaining cases it seems that these events are triggered randomly and hard to reproduce which makes the investigation harder as we would like to collect some procmon logs to understand this issue better. I also understand that these are just alerts, but nothing seems affected on the user end is that correct?

Either way please open a TAC case and work with your engineer on collecting logs.


Regards,

Roman

 

nupagazi
Level 1
Level 1

I also have the same issue. Now another exploit prevention alert from Cisco Secure endpoint is userinit.exe. I guess ti is FP too. I realize that the exploit prevention happens more when we update connector to 8.1.7

If this is something that keeps triggering over and over I would also open TAC case to look in to this and work with engineer to collect logs. Also pictures from Secure Endpoint console would help such as screenshot from event page expanded and Device Trajectory Event Details

 

Its not just event message in the console. In our case Ex Prev engine blocks chrome from execution. Funny that only one machine out of 2k+ is impacted by this problem. We tried reinstall Chrome, didnt help. We will open a TAC case for deeper investigation. Thx for advice.

Marcel

Hello Roman,

I have been following this thread because of the issue described here. We started experiencing it in our environment but it was fixed after the policy update. We are starting to see it again but now on a different Chrome version 115.0.5790.110

In the past week, we have been getting a steady flow of notifications from about 60 clients at random times. Any insights you can provide. I have not gather any logs yet, but sent some files for analysis to try and get more info on the specific version of chrome. Appreciate your assistance. 

Thanks for pointing this out. We are seeing the same behavior, same version of Chrome (115.0.5790.110) which is supposed to be the latest version. TAC responded to me stating this is not correlated to a known issue. In addition, there doesn't seem to be a way to reproduce this on-demand. Users report going about their daily stuff, nothing out of the ordinary. If I get any updates, I'll add them here.

benwe
Level 1
Level 1

what connector version are you on? 

We're on version 8.1.7.21417

There's a new build available to fix this bug specifically. You want to be on build 21512

Thanks Ken.

We haven't seen these alerts since upgrading to build 21512.