Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
470
Views
1
Helpful
1
Replies

Cisco Secure Endpoint issue.exe

Go to solution
CHRISTIAN SCHIAVINATO
Level 1
Level 1

‎10-17-2023 09:01 AM - edited ‎10-17-2023 09:04 AM 

Hi team.

I received an alert of an Endpoint related to lsass.exe, but after analyzing the SHA-256 (95888daefd187fac9c979387f75ff3628548e7ddf5d70ad489cf996b9cad7193) they are clean and in the correct path and the truth is from my point of view I do not observe any suspicious activity.

The version I currently have is 8.2.1.21612.

Is it possible that it is a false positive?

Captura de pantalla 2023-10-17 130007.jpg

 

 

 

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Roman Valenta
Cisco Employee
Cisco Employee

‎10-17-2023 02:12 PM - edited ‎10-17-2023 02:14 PM

Its hard to tell from the screenshot what happened but assuming this event was triggered by System Process? (SPP engine?). You can read more about SPP in our user guide PAGE #148

https://docs.amp.cisco.com/en/SecureEndpoint/Secure%20Endpoint%20User%20Guide.pdf

 

Mainly this part:

Protected System Processes:


System process protection protects the following processes:
• Session Manager Subsystem (smss.exe)
• Client/Server Runtime Subsystem (csrss.exe)
• Local Security Authority Subsystem (lsass.exe) <<< --------------
• Windows Logon Application (winlogon.exe)
• Windows Start-up Application (wininit.exe)

Other than that just form SHA256 perspective both files the protected lsass and MS DependencyAgent are definitely clean or I would say the sha256 is clean.

If you receiving System Process events you can create very specific SPP exclusion to mitigate this FP event if you familiar with the process that is triggering this. You can also open TAC case for further TS

Regards,

Roman

 

 

View solution in original post

1 Reply 1

Go to solution
Roman Valenta
Cisco Employee
Cisco Employee

‎10-17-2023 02:12 PM - edited ‎10-17-2023 02:14 PM

Its hard to tell from the screenshot what happened but assuming this event was triggered by System Process? (SPP engine?). You can read more about SPP in our user guide PAGE #148

https://docs.amp.cisco.com/en/SecureEndpoint/Secure%20Endpoint%20User%20Guide.pdf

 

Mainly this part:

Protected System Processes:


System process protection protects the following processes:
• Session Manager Subsystem (smss.exe)
• Client/Server Runtime Subsystem (csrss.exe)
• Local Security Authority Subsystem (lsass.exe) <<< --------------
• Windows Logon Application (winlogon.exe)
• Windows Start-up Application (wininit.exe)

Other than that just form SHA256 perspective both files the protected lsass and MS DependencyAgent are definitely clean or I would say the sha256 is clean.

If you receiving System Process events you can create very specific SPP exclusion to mitigate this FP event if you familiar with the process that is triggering this. You can also open TAC case for further TS

Regards,

Roman

 

 

Customers Also Viewed These Support Documents