Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6164
Views
19
Helpful
23
Replies

Suspicious smss.exe Parent Process

jeremy.peace-hall
Level 1
Level 1

‎09-12-2023 07:47 AM

We are getting hundreds of these threat detections this morning in our environment. These are all considered "low" and the smss.exe file is clean (SHA-256: 56afe5133fdc5806ec6b19436f7b55f1499cfc94619740c171424fbcf7808fd3)

Seems to be triggered at logon. Anyone else seeing these? Suspect a false positive. All scans have come back clean

17 people had this problem
Labels:
23 Replies 23

GJ.NoscoICT
Level 1
Level 1

‎09-12-2023 09:21 AM

Same here. Triaged the workstations and didn't find anything suspicious.

Roman Valenta
Cisco Employee
Cisco Employee

‎09-12-2023 10:30 AM

We are currently looking in to this issue internally and investigating the event as it seems to be FP event triggered by Behavioral Protection.

 

 

noahigros
Level 1
Level 1
In response to Roman Valenta

‎09-12-2023 11:14 AM

Would i need to continuously check on this post in order to look for a solution? Also getting dozens of these alerts as of this morning.

 

0 Helpful

Roman Valenta
Cisco Employee
Cisco Employee

‎09-12-2023 12:57 PM

Can you guys please confirm the connector version on which you receiving this alert?

 

0 Helpful

noahigros
Level 1
Level 1
In response to Roman Valenta

‎09-12-2023 01:00 PM

8.2.1.21612 is the version for all those connectors. We have about 60 alerts for this incident.

0 Helpful

Ken Stieers
VIP
VIP
In response to Roman Valenta

‎09-12-2023 01:01 PM

Hey Roman,
Seeing it on 8.2.1.21612,
SMSS and wininit.exe are both throwing it.

Ken


jkoch2
Level 1
Level 1
In response to Roman Valenta

‎09-14-2023 07:58 AM

For my organization, this began once I approved Endpoint Security Client ver 8.2.1.21612 2 days ago. 

0 Helpful

RHauke
Level 1
Level 1

‎09-12-2023 01:00 PM

Started seeing this shortly after upgrading to 8.2.1.21612.

 

0 Helpful

Roman Valenta
Cisco Employee
Cisco Employee

‎09-12-2023 01:12 PM

Thanks that's what I thought just wanted to be sure. Based on the response in our internal ticket at this time we believe this is only affecting AMP Version: 8.2.1.21612. The likely reason appears to be a BP build issue which we are working to resolve as soon as possible. I will  keep you guys updated once anything new comes up.

 

noahigros
Level 1
Level 1
In response to Roman Valenta

‎09-12-2023 01:15 PM

thank you, Roman. Would it be okay to resolve the alerts? or should we keep them open until your team says we are good? I appreciate it.

0 Helpful

thomasleite
Level 1
Level 1
In response to Roman Valenta

‎09-12-2023 11:16 PM

We are currently on version 8.1.7.21585 and we are also getting some of these.

0 Helpful

tbrobech
Level 1
Level 1
In response to Roman Valenta

‎09-14-2023 01:08 AM

HI Roman, 
Do you have an up date on the progress?

Br

THomas

0 Helpful

Roman Valenta
Cisco Employee
Cisco Employee

‎09-14-2023 06:14 AM - edited ‎09-14-2023 06:15 AM

I look up the escalation ticket and as of this morning the team that is working on this reported that they are still working in the back end to sort it out this issue. As of right now this would be most likely mitigated with new BP signature update.

As more cases arrived we got some data to provide them including some artifacts as well so hopefully the resolution will be soon. I will let you guys know once I know little bit more than this.

As far for 8.1.7.21585 we did got couple cases regarding this release as well and since this is related to newer BP signature update it's expected.

Thank you guys for your patience we are staying on top of this and trying to resolve this matter as soon as we can.

 

 

 

Roman Valenta
Cisco Employee
Cisco Employee

‎09-14-2023 12:32 PM - edited ‎09-14-2023 12:34 PM

Hey Guys I just checked my home PC with 8.2.x installed and I noticed my last event was on 9/12 since then there was 3 BP signature updates and no more events. The latest one has serial # 11044. If anyone still receiving these alerts can you please check your BP definition on the machine that still reports this issue?

You can do that via CMD line just navigate to the AMP directory and run : ampcli posture

 

 

C:\WINDOWS\system32>cd C:\Program Files\Cisco\AMP\8.2.1.21612

C:\Program Files\Cisco\AMP\8.2.1.21612>ampcli posture
{"agent_uuid":"cxxxxxe-4294-8xx5-f306xxxxxxea9","connected":true,"connector_version":"8.2.1","engines":[{"definitions":[{"last_successful_update":1694717388,"name":"Tetra","timestamp":1694698347,"version":91242}],"enabled":true,"name":"Tetra"},{"enabled":true,"name":"Spero"},{"enabled":true,"name":"Ethos"},{"definitions":[{"name":"BP","timestamp":1694717956,"version":11044}],"enabled":true,"name":"BP"},{"definitions":[{"name":"SCS","timestamp":1694717910,"version":11044}],"enabled":true,"name":"SCS"}],"last_scan":1694703038,"last_scan_status":true,"protect_file_mode":true,"protect_process_mode":true,"running":true}
C:\Program Files\Cisco\AMP\8.2.1.21612>

 

 

Then look for the line:

"name":"BP","timestamp":1694717956,"version":11044 << ------------------

Nobody yet responded to our escalation ticket but I guess its due to different time zone that these guys work in based on the time they usually respond back.

 

 

 

 

Customers Also Viewed These Support Documents