cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6057
Views
19
Helpful
23
Replies

Suspicious smss.exe Parent Process

We are getting hundreds of these threat detections this morning in our environment. These are all considered "low" and the smss.exe file is clean (SHA-256: 56afe5133fdc5806ec6b19436f7b55f1499cfc94619740c171424fbcf7808fd3)

Seems to be triggered at logon. Anyone else seeing these? Suspect a false positive. All scans have come back clean

23 Replies 23

GJ.NoscoICT
Level 1
Level 1

Same here. Triaged the workstations and didn't find anything suspicious.

Roman Valenta
Cisco Employee
Cisco Employee

We are currently looking in to this issue internally and investigating the event as it seems to be FP event triggered by Behavioral Protection.

 

 

Would i need to continuously check on this post in order to look for a solution? Also getting dozens of these alerts as of this morning.

 

Roman Valenta
Cisco Employee
Cisco Employee

Can you guys please confirm the connector version on which you receiving this alert?

 

8.2.1.21612 is the version for all those connectors. We have about 60 alerts for this incident.

Hey Roman,
Seeing it on 8.2.1.21612,
SMSS and wininit.exe are both throwing it.

Ken


For my organization, this began once I approved Endpoint Security Client ver 8.2.1.21612 2 days ago. 

RHauke
Level 1
Level 1

Started seeing this shortly after upgrading to 8.2.1.21612.

 

Roman Valenta
Cisco Employee
Cisco Employee

Thanks that's what I thought just wanted to be sure. Based on the response in our internal ticket at this time we believe this is only affecting AMP Version: 8.2.1.21612. The likely reason appears to be a BP build issue which we are working to resolve as soon as possible. I will  keep you guys updated once anything new comes up.

 

thank you, Roman. Would it be okay to resolve the alerts? or should we keep them open until your team says we are good? I appreciate it.

We are currently on version 8.1.7.21585 and we are also getting some of these.

HI Roman, 
Do you have an up date on the progress?

Br

THomas

Roman Valenta
Cisco Employee
Cisco Employee

I look up the escalation ticket and as of this morning the team that is working on this reported that they are still working in the back end to sort it out this issue. As of right now this would be most likely mitigated with new BP signature update.

As more cases arrived we got some data to provide them including some artifacts as well so hopefully the resolution will be soon. I will let you guys know once I know little bit more than this.

As far for 8.1.7.21585 we did got couple cases regarding this release as well and since this is related to newer BP signature update it's expected.

Thank you guys for your patience we are staying on top of this and trying to resolve this matter as soon as we can.

 

 

 

Roman Valenta
Cisco Employee
Cisco Employee

Hey Guys I just checked my home PC with 8.2.x installed and I noticed my last event was on 9/12 since then there was 3 BP signature updates and no more events. The latest one has serial # 11044. If anyone still receiving these alerts can you please check your BP definition on the machine that still reports this issue?

You can do that via CMD line just navigate to the AMP directory and run : ampcli posture

 

 

C:\WINDOWS\system32>cd C:\Program Files\Cisco\AMP\8.2.1.21612

C:\Program Files\Cisco\AMP\8.2.1.21612>ampcli posture
{"agent_uuid":"cxxxxxe-4294-8xx5-f306xxxxxxea9","connected":true,"connector_version":"8.2.1","engines":[{"definitions":[{"last_successful_update":1694717388,"name":"Tetra","timestamp":1694698347,"version":91242}],"enabled":true,"name":"Tetra"},{"enabled":true,"name":"Spero"},{"enabled":true,"name":"Ethos"},{"definitions":[{"name":"BP","timestamp":1694717956,"version":11044}],"enabled":true,"name":"BP"},{"definitions":[{"name":"SCS","timestamp":1694717910,"version":11044}],"enabled":true,"name":"SCS"}],"last_scan":1694703038,"last_scan_status":true,"protect_file_mode":true,"protect_process_mode":true,"running":true}
C:\Program Files\Cisco\AMP\8.2.1.21612>

 

 

Then look for the line:

"name":"BP","timestamp":1694717956,"version":11044 << ------------------

Nobody yet responded to our escalation ticket but I guess its due to different time zone that these guys work in based on the time they usually respond back.