cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2227
Views
25
Helpful
10
Replies

fp on svchost.exe on Windows 2019 servers?

Hey all, 

are you seeing an FP on svchost.exe?  Mostly Cloud.IOCs...

Ken

10 Replies 10

Brian.Cochran
Level 1
Level 1

We are seeing it on multiple windows machines

jwilliams2
Level 1
Level 1

It has been flagged on all my servers, But no Windows desktop machines.

 

If you investigate it using Cisco Threat Response it comes up marked as a "Common SHA-256 Hash"
Nobody on Virus Total marks it bad.
Malwares.com marks it good.

Yeah... its an FP...

SReed2020
Level 1
Level 1

Is this a false positive? A whole bunch of machines on our network are being isolated due to this event. 

Thanks for the update.

philippaisley
Level 1
Level 1

Having this on many of our Desktops and Servers.

 

soup_dragon
Level 1
Level 1

Seeing the same, only on 2016/2019 Windows servers. 

Have undertaken what checks we can in the time and all coming back no threat.

Still digging.

Rene Mueller
Level 5
Level 5

Any update on this problem? We also have 2019 servers jumping into isolation mode regarding svchost fp.

Cisco advise False Positive

Cisco Secure Endpoint Announcement - False Positive detection
Cisco is aware of the false-positive detection related to svchost.exe. The single SHA-256 involved is cb19fd67b1d02......96cfe0ee0c6e45285436a1. The file disposition has been updated and Cisco is investigating the root cause. We apologize for any inconvenience this may have caused.

I put in a file reputation request on TalosIntelligence.com
Tweeted TalosIntelligence.
Opened a TAC case.


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: