Early on 5\21\2022, Cisco Endpoint Protection trapped this event: 'detected a Cloud IOC: Executed Malware IOC'. It was classed as 'AMADEY' Malware. Because it was classified as a HIGH threat, and we have automated actions enabled, the affected computers were all ISOLATED from the network. That got attention.
By 4 PM the same day, the conviction was overturned and the computers with the detections attempted a RETROSPECTIVE RESTORE FROM QUARANTINE.
That is it. No explanation, no post anywhere that I can locate and reference in my RCA to close out the event.
Some person or process made a decision to reverse this conviction. The detail of the rationale and subsequent actions should be communicated. Possibly update the File Analysis details for the specific file(hash)?
Filename Magic Type File TypeSHA256SHA1MD5
chrome.exe |
PE32+ executable (GUI) x86-64, for MS Windows |
exe |
f342af2b1e3dd9ba90c10f643ec1f50459efbb5912496e8ac553682c2b7a9f6e |
6a2a2427cf1d888cb40a18527478c84dedf1db61 |
7f916511a313837efcde9e4112a64e5b |