Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1622
Views
4
Helpful
7
Replies

Hidden User Created | CtxPkmService

Go to solution
ventaran
Level 1
Level 1

‎07-15-2024 04:48 AM

Good morning,

Anyone else who uses Citrix and Secure Endpoint seeing alerts for Hidden User Created with the value CtxPkmService being added into \MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList ?

This looks a FP to me. Started happening past 24 hours.
Thank you for your time and help.

6 people had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
flindemann
Level 1
Level 1

‎07-15-2024 05:03 AM

Hi there!

We have had the same Issue last Thursday. It appears that the alert is related to a specific Citrix version update to the Workspace Client. We consider it a false positive, especially since no hidden user has been created permanently.

Regards, Frank

View solution in original post

7 Replies 7

Go to solution
flindemann
Level 1
Level 1

‎07-15-2024 05:03 AM

Hi there!

We have had the same Issue last Thursday. It appears that the alert is related to a specific Citrix version update to the Workspace Client. We consider it a false positive, especially since no hidden user has been created permanently.

Regards, Frank

Go to solution
Matthew Franks
Cisco Employee
Cisco Employee

‎07-15-2024 05:20 AM

Thank you for bringing this False Positive to our attention. We also had a TAC case filed on this and the issue has since been resolved. If you see the issue occur again, please open a TAC case so we can get it addressed quickly.

Thanks,

Matt

Go to solution
TaylorOfTheCave
Level 1
Level 1
In response to Matthew Franks

‎07-15-2024 05:53 AM

This is still occurring Matt. 

We're seeing these 'Hidden User Created' detections for the Citrix 'CtxPkmService' alerts from AMP as recently as 15 minutes ago. 

0 Helpful

Go to solution
Matthew Franks
Cisco Employee
Cisco Employee
In response to TaylorOfTheCave

‎07-15-2024 06:16 AM

Interesting. I'll reach out to the developers and see what we can do. Do you have a TAC case open I can reference?

Thanks,

-Matt

0 Helpful

Go to solution
Matthew Franks
Cisco Employee
Cisco Employee
In response to TaylorOfTheCave

‎07-15-2024 06:19 AM

I'd suggest trying to update your signatures considering that is how it was resolved. 

MatthewFranks_0-1721049538842.png

In case that doesn't work, what connector version are you on?

-Matt

0 Helpful

Go to solution
TaylorOfTheCave
Level 1
Level 1

‎07-15-2024 07:04 AM

I do see all of the clients who reported the FP also did Signature/Policy/Component updates within a few minutes of the detection so my expectation is that these clients had been offline since before the update was pushed via policy and they just did the scan/detection before they did the signature update. 

I've updated our TAC case to reference that it's likely due to an order-of-operations issue with the definition update and the scan.

Go to solution
jplopper
Level 1
Level 1

‎07-15-2024 08:36 AM

We had a similar issue that started on July 9 and continued to July 12.  Was correlated with a Citrix Receiver update. 

Customers Also Viewed These Support Documents