Hi,
The File Detection category generates a lot of alerts on browser cache with signatures like these:
GT:JS.Hyena.x
GT:JS.Injected.x
Trojan.Generic.x
Trojan.GenericKD.x
Auto.x.in02
W32.x.in12.Talos
Most of the time these files are unique so they won't be on VirusTotal.
Submitting to Cisco's cloud sandbox won't do anything because they don't have any extensions to run with a default program, it's browser AppData.
The files are in proprietary formats specific to the browser and require forensics tools to parse. Even then these generic signature names don't tell us what it is about the file that is triggering the alert.
Does anyone have reasonable a way to do root cause analysis without going to Cisco TAC?
Is there a way to see the logic behind these signatures? Or do we know how they work at a higher level, is it looking at strings or binary patterns?