Re: Suspicious smss.exe Parent Process - Page 2

jeremy.peace-hall · ‎09-12-2023

We are getting hundreds of these threat detections this morning in our environment. These are all considered "low" and the smss.exe file is clean (SHA-256: 56afe5133fdc5806ec6b19436f7b55f1499cfc94619740c171424fbcf7808fd3)

Seems to be triggered at logon. Anyone else seeing these? Suspect a false positive. All scans have come back clean

jeremy.peace-hall · ‎09-14-2023

Some of our clients just started to update to 11044. We are still getting a bunch of these smss.exe detections but all of them are on clients still running 11011. Hopefully by tomorrow morning these will cease as the clients get the new definition update (11044). Thanks

noahigros · ‎09-14-2023

Hey Roman,

per your update confirming that they did release a new BP update to resolve the remaining signatures that were causing FPs. Will this mean i can resolve the ones i have now?

Roman Valenta · ‎09-15-2023

You mean resolve them in your Inbox? if so then YES.

Roman Valenta · ‎09-14-2023

So it now confirmed as well. We just got another update that they did release BP update late last night to resolve the remaining signatures that were still causing FPs for some of our customers.

Bbailey2 · ‎09-14-2023

Here's my output @Roman Valenta

C:\Program Files\Cisco\AMP\8.2.1.21612>ampcli posture
"connected":true,"connector_version":"8.2.1","engines":[{"definitions":[{"last_successful_update":1694717002,"name":"Tetra","timestamp":1694698347,"version":91242}],"enabled":true,"name":"Tetra"},{"enabled":true,"name":"Spero"},{"enabled":true,"name":"Ethos"},{"definitions":[{"name":"BP","timestamp":1694720952,"version":11044}],"enabled":true,"name":"BP"},{"definitions":[{"name":"SCS","timestamp":1694720935,"version":11044}],"enabled":true,"name":"SCS"}],"last_scan":1692637158,"last_scan_status":true,"protect_file_mode":true,"protect_process_mode":true,"running":true}

Roman Valenta · ‎09-15-2023

If anyone is still getting these alerts and are on 11044 BP release please open a TAC case and provide your AMP EDR business GUID from the Cloud console

Dan Jensen · ‎09-18-2023

We are still getting FP's from many of our Endpoints. Is there any way to check the BP release # remotely without having to go to the command line of the machine itself?

Roman Valenta · ‎09-19-2023

Kind of yes. It will be in Events and you just need to pick event type as shown in this picture. Since in my environment I have no failures I pick both including the succeed just to give you idea. In your case I would just search first for Update Failure and see if the endpoint that still reports show up on the list.

CHRISTIAN SCHIAVINATO · ‎10-11-2023

Hello everyone,

I wanted to inform you that I've come across a threat detection related to the file smss.exe and its SHA-256 value (fe5ae6addf86f4005ca4b19a610d62a437f1c616867b7e52d5374de4f3d2be25). It's worth noting that, upon review, the file has been confirmed as clean, and my software is currently running the version 8.2.1.21612.

In my most recent scan, no threats were found, and the alert associated with this detection is categorized as low. I was wondering if any of you have also experienced similar issues after recent updates.

I appreciate any information or experiences you can share regarding this matter. Thank you.