Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5005
Views
25
Helpful
6
Replies

False positives regarding tmp files from chrome.exe

TyGuy1321
Level 1
Level 1

‎09-30-2020 01:03 PM

Over the past few weeks, I have been getting quite a few notifications about tmp files getting flagged in Cisco AMP, but the file never gets quarantined. It just says that it failed to quarantine the file because it's already been "deleted, moved, or already quarantined". This is happening on a few different computers in completely different departments on completely different subnets. 

 

I checked the logs in our other AV, but nothing is coming up in regards to these tmp files. Also, every single instance of this that I have seen originates from chrome.exe. 

The best I've been able to do is scan the endpoint, clear out their temp folder, and then mark it as resolved because I cannot think of anything else. 

Has anybody else experienced this? If so, how did you resolve it?
Am I missing something entirely? Like I said, this hasn't always been a problem, so I'm a bit confused as to what could be causing it. 

 

I have attached screenshots of one example. 

 

Any and all advice would be greatly appreciated!

6 people had this problem
Labels:
Preview file
25 KB
Preview file
24 KB
Preview file
24 KB
6 Replies 6

soup_dragon
Level 1
Level 1

‎10-01-2020 02:14 AM

TyGuy1321, you beat me to it. Seeing similar issue here in both Chrome and new MS Edge, which is basically Chrome anyway. Saw an early post here this month and response was to raise a case with TAC I seem to recall. At that point only saw one report in our dashboard and ignored it but seen quite a few similar. Our thinking at the moment it is to do with enabling notifications within the browser for the site, but work in progress. 

TyGuy1321
Level 1
Level 1
In response to soup_dragon

‎10-01-2020 07:19 AM

Thank you very much for your response. 

The enabling notifications idea definitely makes sense. I didn't think about that. I'm going to dig into that a little more and see what I can find.

If I figure out something, I will definitely post it here.

And if not, I'll just hand it off to TAC. 

 

Thanks again. 

0 Helpful

YStefanov
Level 1
Level 1
In response to TyGuy1321

‎09-27-2022 04:27 AM

Hi TyGuy1321

have you figured sthg out on this case?

Best regards!

0 Helpful

ChadTaul60385
Level 1
Level 1

‎12-01-2022 07:32 AM

I too often have the same issues. When it says quarantine failure, I check the Temp folder for the file and it doesn't exist. So I just mark it as resolved. But if it is actually removing the questionable temp file, why is it reporting "quarantine failure"..?? Very annoying and wastes my time checking every time this happens. I'm really curious if anyone has found a proper fix to this annoyance. If so, please share. Thanks - first time poster, Chad.

0 Helpful

Roman Valenta
Cisco Employee
Cisco Employee

‎12-01-2022 08:42 AM - edited ‎12-01-2022 08:43 AM

This is not a fix but perhaps I will shine more light on this ongoing issue.


When it comes to these specific .*TMP events and what I have seen before, they are very tricky to avoid.

 

One of those most common scenarios are with chrome.exe and their updates or browser cache. TMP files files are typically created by applications to store some form of temporary data, in a permanent form than RAM, on your hard disk. TMP files are commonly produced either when a program can't allocate enough memory for its tasks, or as part of inter-process communication. TMP files are usually deleted automatically by their parent application (the software, game, application) which created them hence hard to catch later as they get destroyed in the process.

 

I also believe that on the detection that you are receiving on *.TMP files you are not able to fetch them and in most cases  you might see message similar to “Quarantine Failed

 

As I said earlier temporary files are placed on the machine during a installation or upgrade or some time by just simply visiting a website. It is common to see even legitimate software such as google to generate this False Positive events. We always try to get our hands on these files and get them analyzed to avoid these events so if you can provide us with samples that will be great, as we will submit them to our developers so they can "fine-tune" these detection's.

 

As far for the quarantine-failure as I mentioned these files are usually short live so by the time we did analyze the file and based on many behavioral aspects we flagged this file as suspicious and go back and try to remove the file in many cases the file is simply  not there because it gets auto-deleted by the system / program/ application . That’s why you see the message about failure to quarantine.

 

As far as your pictures two things to noticed.

 

A: The SHA of the file is grey color which means that the SHA is not malicious but rather classified as unknown/unseen

 

B: In your event detail picture from Device Trajectory, you can see which engine flagged the file and, in this case, this is the offline Tetra Engine.

 

So back again to samples, we will need that sample to analyze and determine which part is falsely triggering the detection.

 

Unfortunately, this is the issue when it comes to enterprise type of security, the more complex the engine is the more you will see false positive events, it really boils down to get familiar with the dashboard and spot these obvious FP events. I wish there is one click solution for everything.

 

ArfiansyahArdiana
Level 1
Level 1

‎12-04-2022 08:28 PM

same Issue thank for resolution

0 Helpful
Customers Also Viewed These Support Documents