Event: Retrospective Quarantine: Failed

TBos1966 · ‎02-15-2021

Hi All

Anyone else see a spike in Retrospective Detections over the weekend?

Specifically .in12.talos detections. All seemed to link to .js files from programs like grammarly, Adobe etc. All unable to quarantine.

Noticed a similar post last year so wanted to see if anyone else is experiencing the same?

Many thanks in advance.

Amped · ‎02-15-2021

Exactly the same behavior noticed. Not seeing any valid reason for Grammarly and other .js detections. Not clear why this is happening and was not happening prior. Maybe a false positive detection?

OskarInghamnGunnarsson75371 · ‎02-15-2021

See plenty of this aswell during the day.

Haven't found anything that indicates that this is true positives...yet.

TBos1966 · ‎02-15-2021

I believe they are false positive so I suspect some issue with a IOC/signature update? Continuing to see more throughout the day, all .js files.

Amped · ‎02-15-2021

Agree with TBos1966. Would be good to hear from Cisco on this as causing impact and unnecessary alerts for many AMP consumers it seems like.

Coffee&Tech · ‎02-16-2021

Having the same issue here. Seems like all are false positives
js\Grammarly-codeSplitting.styles.js

js\premiumSurveyPopup.common.chunk.js

TBos1966 · ‎02-16-2021

Yeah those are the majority of the ones I’m seeing as-well.

It appears that some of the others picked up yesterday such as interactive_ballon.js and ss_experience.js have now been tagged as not malicious but the ones you mentioned are still coming up as malicious.

It would be good to get some confirmation from Cisco as to whether this is a known issue with an update/ioc detection?