09-12-2023 07:47 AM
We are getting hundreds of these threat detections this morning in our environment. These are all considered "low" and the smss.exe file is clean (SHA-256: 56afe5133fdc5806ec6b19436f7b55f1499cfc94619740c171424fbcf7808fd3)
Seems to be triggered at logon. Anyone else seeing these? Suspect a false positive. All scans have come back clean
09-12-2023 09:21 AM
Same here. Triaged the workstations and didn't find anything suspicious.
09-12-2023 10:30 AM
We are currently looking in to this issue internally and investigating the event as it seems to be FP event triggered by Behavioral Protection.
09-12-2023 11:14 AM
Would i need to continuously check on this post in order to look for a solution? Also getting dozens of these alerts as of this morning.
09-12-2023 12:57 PM
Can you guys please confirm the connector version on which you receiving this alert?
09-12-2023 01:00 PM
8.2.1.21612 is the version for all those connectors. We have about 60 alerts for this incident.
09-12-2023 01:01 PM
09-14-2023 07:58 AM
For my organization, this began once I approved Endpoint Security Client ver 8.2.1.21612 2 days ago.
09-12-2023 01:00 PM
Started seeing this shortly after upgrading to 8.2.1.21612.
09-12-2023 01:12 PM
Thanks that's what I thought just wanted to be sure. Based on the response in our internal ticket at this time we believe this is only affecting AMP Version: 8.2.1.21612. The likely reason appears to be a BP build issue which we are working to resolve as soon as possible. I will keep you guys updated once anything new comes up.
09-12-2023 01:15 PM
thank you, Roman. Would it be okay to resolve the alerts? or should we keep them open until your team says we are good? I appreciate it.
09-12-2023 11:16 PM
We are currently on version 8.1.7.21585 and we are also getting some of these.
09-14-2023 01:08 AM
HI Roman,
Do you have an up date on the progress?
Br
THomas
09-14-2023 06:14 AM - edited 09-14-2023 06:15 AM
I look up the escalation ticket and as of this morning the team that is working on this reported that they are still working in the back end to sort it out this issue. As of right now this would be most likely mitigated with new BP signature update.
As more cases arrived we got some data to provide them including some artifacts as well so hopefully the resolution will be soon. I will let you guys know once I know little bit more than this.
As far for 8.1.7.21585 we did got couple cases regarding this release as well and since this is related to newer BP signature update it's expected.
Thank you guys for your patience we are staying on top of this and trying to resolve this matter as soon as we can.
09-14-2023 12:32 PM - edited 09-14-2023 12:34 PM
Hey Guys I just checked my home PC with 8.2.x installed and I noticed my last event was on 9/12 since then there was 3 BP signature updates and no more events. The latest one has serial # 11044. If anyone still receiving these alerts can you please check your BP definition on the machine that still reports this issue?
You can do that via CMD line just navigate to the AMP directory and run : ampcli posture
C:\WINDOWS\system32>cd C:\Program Files\Cisco\AMP\8.2.1.21612
C:\Program Files\Cisco\AMP\8.2.1.21612>ampcli posture
{"agent_uuid":"cxxxxxe-4294-8xx5-f306xxxxxxea9","connected":true,"connector_version":"8.2.1","engines":[{"definitions":[{"last_successful_update":1694717388,"name":"Tetra","timestamp":1694698347,"version":91242}],"enabled":true,"name":"Tetra"},{"enabled":true,"name":"Spero"},{"enabled":true,"name":"Ethos"},{"definitions":[{"name":"BP","timestamp":1694717956,"version":11044}],"enabled":true,"name":"BP"},{"definitions":[{"name":"SCS","timestamp":1694717910,"version":11044}],"enabled":true,"name":"SCS"}],"last_scan":1694703038,"last_scan_status":true,"protect_file_mode":true,"protect_process_mode":true,"running":true}
C:\Program Files\Cisco\AMP\8.2.1.21612>
Then look for the line:
"name":"BP","timestamp":1694717956,"version":11044 << ------------------
Nobody yet responded to our escalation ticket but I guess its due to different time zone that these guys work in based on the time they usually respond back.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide