10-26-2020 07:49 AM
Quick question regarding this event type - our organization has been seeing a lot of these lately. My question is, what would cause the failure? Is it that the file in question no longer exists on the target machine?
Any insight would be great!
10-26-2020 08:42 AM
Usually it is because some other process has moved/deleted the file. We have seen a spike today around these:
is that what you are seeing? Just curious if they may have a bad detection going around.
10-26-2020 09:01 AM - edited 10-26-2020 12:26 PM
Edited to add these are the same detections we are seeing - W32.DE7D5559CF.in12.Talos. Good call.
10-26-2020 08:45 AM
Seeing the same thing over the weekend. I have about 10 computers and the folder path seems to be related to LastPass's browser extension for Chrome/MSEdge.
10-26-2020 09:15 AM
Seeing this same strange behavior at multiple Cisco AMP sites. All are in12.Talos threat detections and all seem to be Chrome generated js files. They vary from Adobe updates, grammarly, and printer updates to just generic web browsing temp files. Roughly 30 plus different detection types on hundreds and hundreds of clean endpoints. Cisco any comment on this? Seems like the in12.Talos detection has some flaws maybe.
10-26-2020 12:23 PM - edited 10-26-2020 12:25 PM
After some investigation this is exactly what we're seeing as well - mostly Grammarly-bg.js detections from Chrome add-ons.
10-26-2020 01:31 PM
Seeing the same on our campus. AMP is flagging several types of JavaScript files with Grammarly being one. We noticed a co-worker opening Gmail, Google Drive, etc. on his machine caused alerts in the AMP console. His workstation now has at least 200 events flagged against it. I just updated to the latest AMP client (7.3.3.11988) the end of last week. I wonder if something changed in the latest client to cause this behavior. I have opened a support case with Cisco on this issue.
10-26-2020 03:24 PM
We are experiencing the same issue. Retroactive device quarantine after failed attempts to quarantine and retrieve the .js files. The following are just a few for everyone's reference.
Filename | SHA-256 |
model.js | 04a2d4cc48a18f82d46a1bd70d7115916c8f87a527d0d5fad8900bbcecad72bf |
dialogFields.js | 14f0e943467905821ee55e496353bc2f9153988f76280697a272a3ed3dbcbeb6 |
9.chunk.js | 2b1733cec43ef2c5d33558817569dcf4c2280eabcf84fc2cfe1a96a57eb9ebbc |
popover.chunk.js | 8dd00e07b7d2a922758ee954b2f6f3145ccfe4def5d5ac207f45b6ab408338d2 |
Grammarly-bg.js | de7d5559cfa7793ca804cc5d4dcbefab7b1a0a262bbb666e0f2358f1d2b1d71c |
extensionDropdown.js | 35dc56ae2872f56b75c01f066b57b16121178aa81ea06906d377a6248585fdd1 |
I currently have a ticket open with TAC to find out further information.
10-27-2020 06:33 AM
I can't find exactly where these are being downloaded from in AMP, Threat Response or Umbrella. I'm assuming it's a false positive on grammarly javascripts.
10-29-2020 12:09 PM
Hello all,
there was an isssue in the AMP backend and should be already solved.
Greetings,
Thorsten
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide