Solved: Re: False positive? GT:JS.Hyena.3 detections

Chris05 · ‎04-09-2024

Last night we started getting GT:JS.Hyena.3.x detections on a number of computers. We are continuing to receive them, over 150 machines so far. Anyone else seeing this?

Matthew Franks · ‎04-12-2024

The signature number was 14081197 and it was updated on the 10th around 2300 UTC. Hope that helps.

-Matt

View solution in original post

Matthew Franks · ‎04-09-2024

TALOS is investigating for a potential FP.

MidwestCyber · ‎04-09-2024

Seeing this on a large number of hosts in our environment. Appears to relate to browser updates.

ventaran · ‎04-10-2024

had a few boxes pop. no wscript or cscript action either. odd. this looks like a FP

mpdonovan · ‎04-10-2024

Still seeing this on a growing number of endpoints.

Chris05 · ‎04-10-2024

We also continue to get these - a few hundred more detections throughout the night.

Matthew Franks · ‎04-10-2024

I've requested an update from TALOS and also stressed the priority. If you haven't, please open a TAC case as this will help with the prioritization.

Chris05 · ‎04-10-2024

Thank you Matthew. Yes, we also opened a TAC case yesterday. Last update was from yesterday afternoon.

Hello, Talos is still investigating the issue at hand.

Far as the alerts, you can do the following options:

Add a "Threat" type exclusion for the specific signature which is being triggered until the false positive analysis is completed and fixed.
Add the file path to exclusions.
Disable Tetra

The options above are only temporary remediations until the false positive issue is fixed and, of course, this is solely your discretion, but I wanted to offer this to you as you mentioned you are receiving numerous alerts in the console.

Ken Stieers · ‎04-10-2024

Every time I get one of these, I make sure that the file gets uploaded to Secure Malware Analytics (ThreatGrid) for analysis, and open a file reputation case at TalosIntelligence.com.

________________________________

This email is intended solely for the use of the individual to whom it is addressed and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If the reader of this email is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited.
If you have received this communication in error, please immediately notify us by telephone and return the original message to us at the listed email address.
Thank You.

L8Tarkov · ‎04-10-2024

I also had a large number of these pop up and opened a file reputation case at Talos but they closed it right away. Has it been confirmed a false positive?

Chris05 · ‎04-10-2024

As of now, it still hasn't been confirmed as a false positive. I will post again when we hear back from TAC.

ARB65 · ‎04-10-2024

Opened a TAC case last night. Got detections of this on 5 computers so far since 7:45PM ET last night.

MidwestCyber · ‎04-10-2024

TAC case opened here as well. I have been told Talos is aware of the situation.

We have over 250 detections at this point.

ARB65 · ‎04-10-2024

Just got Secure Endpoint notification

Cisco is aware of the false positive detections related to JS.Hyena.3.xxxx that started at approximately 2024-04-09 18:26 UTC. The signatures involved are being reviewed and Cisco is investigating the root cause. We apologize for any inconvenience this may have caused.

Fred_A · ‎04-10-2024

Keep securing and being watchful until a response back from Cisco.