cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
269
Views
0
Helpful
0
Replies

How to investigate high number of alerts for browser cache files

PleaseHelpMe
Level 1
Level 1

Hi, 

The File Detection category generates a lot of alerts on browser cache with signatures like these:

GT:JS.Hyena.x
GT:JS.Injected.x
Trojan.Generic.x
Trojan.GenericKD.x
Auto.x.in02
W32.x.in12.Talos

Most of the time these files are unique so they won't be on VirusTotal.

Submitting to Cisco's cloud sandbox won't do anything because they don't have any extensions to run with a default program, it's browser AppData. 

The files are in proprietary formats specific to the browser and require forensics tools to parse. Even then these generic signature names don't tell us what it is about the file that is triggering the alert.

Does anyone have reasonable a way to do root cause analysis without going to Cisco TAC? 

Is there a way to see the logic behind these signatures? Or do we know how they work at a higher level, is it looking at strings or binary patterns? 

 

0 Replies 0