cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1841
Views
0
Helpful
1
Replies

False Positive Communications

Early on 5\21\2022, Cisco Endpoint Protection trapped this event:  'detected a Cloud IOC: Executed Malware IOC'. It was classed as 'AMADEY' Malware.  Because it was classified as a HIGH threat, and we have automated actions enabled, the affected computers were all ISOLATED from the network.  That got attention.

 

By 4 PM the same day, the conviction was overturned and the computers with the detections attempted a RETROSPECTIVE RESTORE FROM QUARANTINE.  

 

That is it.  No explanation, no post anywhere that I can locate and reference in my RCA to close out the event.

Some person or process made a decision to reverse this conviction.  The detail of the rationale and subsequent actions should be communicated.  Possibly update the File Analysis details for the specific file(hash)?

 

Filename Magic Type File TypeSHA256SHA1MD5

chrome.exe
PE32+ executable (GUI) x86-64, for MS Windows
exe
f342af2b1e3dd9ba90c10f643ec1f50459efbb5912496e8ac553682c2b7a9f6e
6a2a2427cf1d888cb40a18527478c84dedf1db61
7f916511a313837efcde9e4112a64e5b
1 Reply 1

Oh boy, do I feel silly.  I just found this in one of my sorted email folders.  It arrived on Saturday 5/21, in a very timely manner.  It was my fault for not handling those notifications correctly.  Anyone know where to send apologies to Cisco?

 

Hello Scott Holland,

Cisco Secure Endpoint Announcement - "Chrome.exe" False Positive:

Cisco is aware of the false positive detection related to chrome.exe. The single SHA256 involved is f342af2b1e3dd9ba90c10f643ec1f50459efbb5912496e8ac553682c2b7a9f6e. The file disposition has been updated, and Cisco is investigating root cause. We apologize for the inconvenience caused.

 

You are receiving this email because you have subscribed to Secure Endpoint Announcements. If you feel you have received this email in error or need assistance, go here to open a support case.

 

Thank you.

Cisco Secure Endpoint