Lastnight I received many alerts about the Chrome update being indentified as Malware, until around 10PM EST, when a retrospective Malware alert was received making that file as Clean.
Did anyone else see this same behavior?
Yes, we have had some reports of that. Thanks for bringing this feature up and allowing me to share this with the community.
Retrospective Security is a very powerful feature in Cisco AMP that many customers leverage to mitigate damage in the "After" phase of the attack life cycle. It is important to note that it works both ways. Retrospection applies not only to files previously thought to be Unknown to be Malware but also in the cases of Malware to Clean. I am glad it worked positively for you.
More information on Cisco's Retrospective Security can be found here:
This can vary due to different volumes of submissions for file analysis from one customer to another; and specifically one AMP for Endpoints connector to another. For accurate retrospective security, this history is down to a per AMP for Endpoints connector level in the DB. Cisco tries, at best effort, to keep about 30 days worth of data per connector in the AMP cloud. However, at this time, we have generally seen an ability to look back longer.
Thanks and best regards,
Hello- Cisco AMP - reporting alarm detection notification message saying that the user's web browser. This often happens with Chrome or Firefox. Detection: JS:Trojan.Cryxos.2843 File: a6c9e967-66ea-41d7-a82d-ead1a8045272.tmp File path: C:_Users_username_AppData_Local_Temp_a6c9e967-66ea-41d7-a82d-ead1a8045272.tmp Detection SHA-256: 1926e5c46a347f8c5a9fedd21130c40e05eed1b0b5283d118c742bf273ccf5c3 By Application: chrome.exe Application SHA-256: 4f0bcaacecdf01f7ecde697f5cb5f8247ffd610b83b9fba78a42fb875f0866dc Severity: Medium Timestamp: 2020-09-21 21:50:12 +0000 UTC
Please reach out to Cisco TAC and provide a sample of the file for False Positive identification.
However, this alert does not look like it stating that Chrome.exe is malware but a file called 'a6c9e967-66ea-41d7-a82d-ead1a8045272.tmp' is. The parent application is Chrome.exe, which from this alert looks to be the user trying to download something via a web browser. How are you updating chrome? Are you downloading it the executable from https://www.google.com/chrome/ ? If it is happening in both Firefox and Chrome is most likely not the browser updating on it own.
Also the detection is Cryxos which is a pop-up that states your browser is infected which may also be an indicator that Chrome itself is not infected but an attempt to get a user to download malware: https://www.f-secure.com/v-descs/trojan_js_cryxos.shtml
If you manage to get a copy of the file make sure to include the link that you downloaded it, a copy of the file provided to TAC in a password protected zip file with the password as 'infected'.
I would recommend that you reach out to TAC to assist find below the world wide support numbers: