07-01-2022 08:32 AM
AMP has been generating a Cloud IOC alert for the following command line:
C:\WINDOWS\System32\sdbinst.exe -m -bg |
I can't find anything for these arguments "-m -bg".
Has anyone come across this or know what it means?
07-01-2022 09:38 AM
I've been seeing it myself on my own PC after upgrading to Windows 11. I tried and failed to exclude it from my policy in the Secure Endpoint console. Windows Defender and VirusTotal report the file is fine.
I will open a ticket on it eventually but haven't had the time to engage TAC.
07-06-2022 01:12 AM - edited 07-06-2022 01:14 AM
Hello @JuliaMora15110 ,
to get any community help in such a case we need more information, more details. There are millions of different command line arguments, and millions of relations to other observables, which finally may generate an event of CloudIOC. I did a short test in my LAB.
So finally, you may take a closer look on the endpoint if you figure out any other activity.
Greetings,
Thorsten
07-06-2022 10:11 AM
@Troja007 can you tell us how to exclude this file from generating Cloud IOC events? I've scanned it with different tools and it comes up clean in every case. I tried whitelisting the file hash in my policy but that had no effect.
07-06-2022 11:24 AM
07-07-2022 12:27 AM - edited 07-07-2022 12:29 AM
Hello all,
as @Ken Stieers already mentioned, what you can do today
In addition, we are already working on a new feature to enable customers defining their own CloudIOC exclusions. @JuliaMora15110 , you may get in contact with your Cisco representative for any official statement.
Greetings,
Thorsten
07-07-2022 07:15 AM
Thank you, I've opened a Cisco TAC case and provided the debugging logs. I just want to know if this has been seen before and if it's expected behavior for Windows 11. If so, I'm hoping that the Cloud IOC can be fine tuned.
07-12-2022 08:02 AM
I am now seeing this alert come from all computers that have been updated to the latest Windows 11 build 22621.105.
One of the alerts had a sdbinst.exe -mm parameter but that also is undefined.
I can't find anything about this behavior online besides this thread which is unfortunate. I have checked the machines throwing up these alerts for custom Shim DB's but there weren't any in the regular folder locations.
07-12-2022 10:39 AM
Is this a Lenovo computer? What is the Make Model and Windows Version of the machines you are seeing this on?
07-12-2022 10:52 AM
I see it consistently (every couple of days) on my HP Spectre x360 computer with Windows 11 Version 22H2, (OS Build 22621.169). It's fully patched and no other tool indicates this file is a problem. Silencing the alarm only silences that particular instance and it recurs eventually.
07-14-2022 07:08 AM
I see a few alerts every day, only on PC's with Windows 11 Version 22H2, (OS Build 22621.169) so I think we can confirm that it is due to the most recent Windows patches. I am checking other Win 11 PC's that havent been patched fully and I dont even see SDBinst.exe running on these machines. I am able to silence the Compromise Event Type "W32.SdbinstShimming.ioc" and then they all are hidden, I just havent had to silence an event type before and would much prefer figuring out what is causing these.
07-14-2022 07:46 AM
08-03-2022 12:54 PM
Hi all,
I received a reply from Cisco TAC regarding this detection - a fix has been applied to the backend and should no longer display as a Cloud IOC.
Thank you so much for confirming this was due to Windows 11 update!
08-04-2022 06:29 AM
Thank you Julia, Can confirm the alerts have stopped.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide