cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7040
Views
13
Helpful
7
Replies

Google Chrome update detected as Malware

statem
Level 1
Level 1

Lastnight I received many alerts about the Chrome update being indentified as Malware, until around 10PM EST, when a retrospective Malware alert was received making that file as Clean.

Did anyone else see this same behavior?

7 Replies 7

schuang
Cisco Employee
Cisco Employee

Hi Steve,

Yes, we have had some reports of that. Thanks for bringing this feature up and allowing me to share this with the community.

Retrospective Security is a very powerful feature in Cisco AMP that many customers leverage to mitigate damage in the "After" phase of the attack life cycle. It is important to note that it works both ways. Retrospection applies not only to files previously thought to be Unknown to be Malware but also in the cases of Malware to Clean. I am glad it worked positively for you.

More information on Cisco's Retrospective Security can be found here:

http://www.cisco.com/cisco/web/UK/products/security/security-attack-after.html

Shyue Hong

How far back in time can AMP Retrospective Security tell you about threats that it has seen on your systems?

Hi Paul,

This can vary due to different volumes of submissions for file analysis from one customer to another; and specifically one AMP for Endpoints connector to another. For accurate retrospective security, this history is down to a per AMP for Endpoints connector level in the DB. Cisco tries, at best effort, to keep about 30 days worth of data per connector in the AMP cloud. However, at this time, we have generally seen an ability to look back longer.

Thanks and best regards,

Shyue Hong

VladBulai02437
Level 1
Level 1

I have this problem as well. 

Hello- 

Cisco AMP - reporting alarm detection notification message saying that the user's web browser. This often happens with Chrome or Firefox.

Detection: JS:Trojan.Cryxos.2843
File: a6c9e967-66ea-41d7-a82d-ead1a8045272.tmp
File path: C:_Users_username_AppData_Local_Temp_a6c9e967-66ea-41d7-a82d-ead1a8045272.tmp
Detection SHA-256: 1926e5c46a347f8c5a9fedd21130c40e05eed1b0b5283d118c742bf273ccf5c3
By Application: chrome.exe
Application SHA-256: 4f0bcaacecdf01f7ecde697f5cb5f8247ffd610b83b9fba78a42fb875f0866dc
Severity: Medium
Timestamp: 2020-09-21 21:50:12 +0000 UTC

Greetings VladBulai02437,

Please reach out to Cisco TAC and provide a sample of the file for False Positive identification.

 

However, this alert does not look like it stating that Chrome.exe is malware but a file called 'a6c9e967-66ea-41d7-a82d-ead1a8045272.tmp' is. The parent application is Chrome.exe, which from this alert looks to be the user trying to download something via a web browser. How are you updating chrome? Are you downloading it the executable from https://www.google.com/chrome/ ? If it is happening in both Firefox and Chrome is most likely not the browser updating on it own.

 

Also the detection is Cryxos which is a pop-up that states your browser is infected which may also be an indicator that Chrome itself is not infected but an attempt to get a user to download malware: https://www.f-secure.com/v-descs/trojan_js_cryxos.shtml

 

If you manage to get a copy of the file make sure to include the link that you downloaded it, a copy of the file provided to TAC in a password protected zip file with the password as 'infected'.

 

I would recommend that you reach out to TAC to assist find below the world wide support numbers:
https://www.cisco.com/c/en/us/support/index.html

Dmitri Krull
Technical Marketing Engineer - Endpoint Security
dkrull@cisco.com
SSCP - 743085

YasserAmin
Level 1
Level 1

Hi , i spent my weekend investigating and resolving the impact out of this false alert because we have 24 operation worker , some of the computers have been isolated because of this issue . its good to have this response but it back with headache to IT team.