Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6333
Views
13
Helpful
7
Replies

Google Chrome update detected as Malware

statem
Level 1
Level 1

‎11-11-2015 08:25 AM - edited ‎02-20-2020 09:00 PM

Lastnight I received many alerts about the Chrome update being indentified as Malware, until around 10PM EST, when a retrospective Malware alert was received making that file as Clean.

Did anyone else see this same behavior?

4 people had this problem
7 Replies 7

schuang
Cisco Employee
Cisco Employee

‎11-11-2015 09:14 AM

Hi Steve,

Yes, we have had some reports of that. Thanks for bringing this feature up and allowing me to share this with the community.

Retrospective Security is a very powerful feature in Cisco AMP that many customers leverage to mitigate damage in the "After" phase of the attack life cycle. It is important to note that it works both ways. Retrospection applies not only to files previously thought to be Unknown to be Malware but also in the cases of Malware to Clean. I am glad it worked positively for you.

More information on Cisco's Retrospective Security can be found here:

http://www.cisco.com/cisco/web/UK/products/security/security-attack-after.html

Shyue Hong

Paul Laforge
Level 1
Level 1
In response to schuang

‎11-11-2015 06:41 PM

How far back in time can AMP Retrospective Security tell you about threats that it has seen on your systems?

0 Helpful

schuang
Cisco Employee
Cisco Employee
In response to Paul Laforge

‎11-11-2015 10:11 PM

Hi Paul,

This can vary due to different volumes of submissions for file analysis from one customer to another; and specifically one AMP for Endpoints connector to another. For accurate retrospective security, this history is down to a per AMP for Endpoints connector level in the DB. Cisco tries, at best effort, to keep about 30 days worth of data per connector in the AMP cloud. However, at this time, we have generally seen an ability to look back longer.

Thanks and best regards,

Shyue Hong

VladBulai02437
Level 1
Level 1

‎09-21-2020 05:13 PM

I have this problem as well. 

0 Helpful

VladBulai02437
Level 1
Level 1
In response to VladBulai02437

‎09-21-2020 05:36 PM 

Hello- 

Cisco AMP - reporting alarm detection notification message saying that the user's web browser. This often happens with Chrome or Firefox.

Detection: JS:Trojan.Cryxos.2843
File: a6c9e967-66ea-41d7-a82d-ead1a8045272.tmp
File path: C:_Users_username_AppData_Local_Temp_a6c9e967-66ea-41d7-a82d-ead1a8045272.tmp
Detection SHA-256: 1926e5c46a347f8c5a9fedd21130c40e05eed1b0b5283d118c742bf273ccf5c3
By Application: chrome.exe
Application SHA-256: 4f0bcaacecdf01f7ecde697f5cb5f8247ffd610b83b9fba78a42fb875f0866dc
Severity: Medium
Timestamp: 2020-09-21 21:50:12 +0000 UTC
0 Helpful

dkrull
Cisco Employee
Cisco Employee
In response to VladBulai02437

‎09-21-2020 06:10 PM

Greetings VladBulai02437,

Please reach out to Cisco TAC and provide a sample of the file for False Positive identification.

 

However, this alert does not look like it stating that Chrome.exe is malware but a file called 'a6c9e967-66ea-41d7-a82d-ead1a8045272.tmp' is. The parent application is Chrome.exe, which from this alert looks to be the user trying to download something via a web browser. How are you updating chrome? Are you downloading it the executable from https://www.google.com/chrome/ ? If it is happening in both Firefox and Chrome is most likely not the browser updating on it own.

 

Also the detection is Cryxos which is a pop-up that states your browser is infected which may also be an indicator that Chrome itself is not infected but an attempt to get a user to download malware: https://www.f-secure.com/v-descs/trojan_js_cryxos.shtml

 

If you manage to get a copy of the file make sure to include the link that you downloaded it, a copy of the file provided to TAC in a password protected zip file with the password as 'infected'.

 

I would recommend that you reach out to TAC to assist find below the world wide support numbers:
https://www.cisco.com/c/en/us/support/index.html

Dmitri Krull
Technical Marketing Engineer - Endpoint Security
dkrull@cisco.com
SSCP - 743085

YasserAmin
Level 1
Level 1

‎05-22-2022 09:41 PM - edited ‎05-22-2022 09:44 PM

Hi , i spent my weekend investigating and resolving the impact out of this false alert because we have 24 operation worker , some of the computers have been isolated because of this issue . its good to have this response but it back with headache to IT team.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents