Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
834
Views
1
Helpful
3
Replies

Need help with 2 alerts

FrankyB2
Level 1
Level 1

‎04-13-2023 12:13 PM

Hello everyone, 1st post here, we have been receiving a lot of alerts regarding firefox, see #2. Also I would like to know if #1 is a false positive,

 

Thanks for your help

 

Secure Endpoint found a total of 1 events matching your subscription named Indications_of_compromised since 2023-04-13 13:25:47 UTC.

  1.  
    • Event Type: Cloud IOC
    • Computer: ld*e-laptop.*
    • Hostname: ld*e-laptop.*
    • IP: 
    • Detection: W32.082827C4A5.RET.SBX.TG
    • File: MicrosoftEdge_X64_112.0.1722.39_112.0.1722.34.exe
    • File path: file:///C%3A/Program%20Files%20%28x86%29/Microsoft/EdgeUpdate/Install/%7B411AF51C-D039-427C-8592-B0095C3613BF%7D/MicrosoftEdge_X64_112.0.1722.39_112.0.1722.34.exe
    • Detection SHA-256: 082827c4a5582f887901c4cce83a1aa9b8a4eb23835a434fc104bba745172a85
    • Application SHA-256: 9991ba022173f283ee99068b708f60ac5143fe0c81c9e3673cc7835b108a4f44
    • Severity: High
    • Timestamp: 2023-04-13 13:21:45 +0000 UTC

 

2. 

  • Event Type: Exploit Prevention
  • Computer: WKS-
  • Hostname: WKS-
  • IP: 
  • User: 
  • File: firefox.exe
  • File path: C:\Program Files\Mozilla Firefox\firefox.exe
  • Detection SHA-256: 5b2abf9947a12ff9cc3765e48d875d97752193fcbc5e2b89fdb3e138c3232568
  • By Application: firefox.exe
  • Application SHA-256: 5b2abf9947a12ff9cc3765e48d875d97752193fcbc5e2b89fdb3e138c3232568
  • Timestamp: 2023-04-06 21:17:06 +0000 UTC
Labels:
0 Helpful
3 Replies 3

Ken Stieers
VIP
VIP

‎04-13-2023 12:20 PM

For sure the first one is a false positive, see other posts in the community from today.
Should already be fixed in the backend.. now just waiting for it to propagate.

FrankyB2
Level 1
Level 1

‎04-13-2023 01:37 PM

Thanks, anyone know anything about the firefox detection? All our end points flagged firefox and it's currently blocked by AMP.

0 Helpful

pmedinac
Cisco Employee
Cisco Employee

‎04-13-2023 01:50 PM

The Firefox SHA-256 (5b2abf9947a12ff9cc3765e48d875d97752193fcbc5e2b89fdb3e138c3232568) is not related to the FP event from today.

Although this is an Exploit Prevention event, it is probably being generated because a 3rd party acting with Firefox and generating an unexpected behavior.

I suggest opening a TAC case to properly investigate. Our Cisco TAC team is ready to assist with the investigation.

--

Pedro M.

0 Helpful
Top