02-15-2021 01:58 AM
Hi All
Anyone else see a spike in Retrospective Detections over the weekend?
Specifically .in12.talos detections. All seemed to link to .js files from programs like grammarly, Adobe etc. All unable to quarantine.
Noticed a similar post last year so wanted to see if anyone else is experiencing the same?
Many thanks in advance.
02-15-2021 07:27 AM
Exactly the same behavior noticed. Not seeing any valid reason for Grammarly and other .js detections. Not clear why this is happening and was not happening prior. Maybe a false positive detection?
02-15-2021 07:36 AM - edited 02-15-2021 08:37 AM
See plenty of this aswell during the day.
Haven't found anything that indicates that this is true positives...yet.
02-15-2021 08:03 AM
I believe they are false positive so I suspect some issue with a IOC/signature update? Continuing to see more throughout the day, all .js files.
02-15-2021 08:10 AM
Agree with TBos1966. Would be good to hear from Cisco on this as causing impact and unnecessary alerts for many AMP consumers it seems like.
02-16-2021 09:28 AM - edited 02-16-2021 09:39 AM
Having the same issue here. Seems like all are false positives
js\Grammarly-codeSplitting.styles.js
js\premiumSurveyPopup.common.chunk.js
02-16-2021 10:45 AM
Yeah those are the majority of the ones I’m seeing as-well.
It appears that some of the others picked up yesterday such as interactive_ballon.js and ss_experience.js have now been tagged as not malicious but the ones you mentioned are still coming up as malicious.
It would be good to get some confirmation from Cisco as to whether this is a known issue with an update/ioc detection?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide