Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1607
Views
6
Helpful
6
Replies

Secure Endpoint flagged Newtonsoft.Json.dll as malicious

Go to solution
mski7861
Level 1
Level 1

‎04-26-2023 04:32 AM

This morning I started seeing retrospective quarantine failures for Newtonsoft.Json.dll.  I see conflicting results when searching for this .dll.  The SHA is SHA256: c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e

10 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
pmedinac
Cisco Employee
Cisco Employee

‎04-26-2023 06:29 AM

Hello.

We have investigated about this SHA-256 (c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e) and found that this is a benign file, hence this file should now be allowed on your environment.

Since the file verdict was changed, the endpoints need some time to receive the last definitions, and may take up to 2 hours based on the policy configuration, other option is to update the policy and definitions manually from the Secure Endpoint UI.

--

Pedro M.

View solution in original post

6 Replies 6

Go to solution
Ken Stieers
VIP
VIP

‎04-26-2023 04:44 AM

Me too.
Opened a Talos ticket, not the first so mine was auto-resolved. This isn't the first time they've flagged this file...

Go to solution
BGKYandrewlafavers
Level 1
Level 1

‎04-26-2023 05:50 AM

Same issue.. first time popping up for us this morning.

C:\Program Files\WindowsApps\Microsoft.6365217CE6EB4_102.2302.13003.0_x64__8wekyb3d8bbwe\MicrosoftSecurityApp\Newtonsoft.Json.dll

0 Helpful

Go to solution
nacryer
Level 1
Level 1

‎04-26-2023 06:12 AM

We have this alert going off as well. seeing this as an optional process for Autodesk, Snagit, and visual studios depending on user downloads/packages. eager to hear talos's response.

0 Helpful

Go to solution
pmedinac
Cisco Employee
Cisco Employee

‎04-26-2023 06:29 AM

Hello.

We have investigated about this SHA-256 (c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e) and found that this is a benign file, hence this file should now be allowed on your environment.

Since the file verdict was changed, the endpoints need some time to receive the last definitions, and may take up to 2 hours based on the policy configuration, other option is to update the policy and definitions manually from the Secure Endpoint UI.

--

Pedro M.

Go to solution
joljol
Level 1
Level 1

‎04-27-2023 01:01 AM

I'm still a Secure Endpoint newbie. We had the same alerts on a number of machines, and currently they are still showing in my inbox on the Secure Endpoint Dashboard under "Requires Attention". Are they supposed to get resolved automatically now that the file verdict was changed?

I know I can just manually resolve them, but I would like to know whether or not they are supposed to disappear automatically.

0 Helpful

Go to solution
Roman Valenta
Cisco Employee
Cisco Employee
In response to joljol

‎04-27-2023 04:57 AM

Hi,

 

No , it will not be removed from Inbox. Think of Inbox as your "un-opened / un-answerd mail" in your Outlook. Something that needs your attention and your manual interaction. Inbox events are also directly related to the "Heat Map" on your Dashboard and percentage number under "Compromised" What you need to do is navigate in to Inbox select all events that you don't want to deal with or you already reviewed and click on  MARK RESOLVED. Those events will be then cleared out from the Heat MAP and Compromised %

Please note: that you can still find these events under "Events" tab for history purpose also note that all events are automatically removed and cleared once they more than 30 Days old.

Customers Also Viewed These Support Documents