Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
193
Views
0
Helpful
3
Replies

False positive for Edge?

smaddox
Level 1
Level 1

‎05-06-2024 07:36 AM

Hi. I wanted to toss this out there to see if anyone else encountered this in the last week or so.

This morning, I opened up the console to 40% of my endpoints indicating a compromise. I opened one computer to start investigating. I found it to be a respective detection and quarantine attempt of Edge activity. On the surface it looks like a false positive but having over 400 machines in the list, I don't want to be too dismissive. There is a screenshot of the activity details. the sha is
98dbc146a89e65094bda4c1b0a3b2d8c4a5a1b6f93891e97336aba2a1994bcd8 

Preview file
44 KB
0 Helpful
3 Replies 3

Matthew Franks
Cisco Employee
Cisco Employee

‎05-06-2024 08:17 AM

I haven't seen anything for this hash. Is it possible someone accidentally added it to a SCD list? Edge is also signed by Microsoft which should prevent it from being quarantined.

Thanks,

-Matt

0 Helpful

smaddox
Level 1
Level 1

‎05-06-2024 09:14 AM

It isn't listed as being in the CSD. No file blacklist either. Amp is reaching back to 4/29 for the retrospective detection. I may need to open a TAC case for this one.

0 Helpful

Matthew Franks
Cisco Employee
Cisco Employee
In response to smaddox

‎05-06-2024 09:17 AM

I agree. They should be able to look into the account history and see further details.

-Matt

0 Helpful
Customers Also Viewed These Support Documents