09-12-2023 07:47 AM
We are getting hundreds of these threat detections this morning in our environment. These are all considered "low" and the smss.exe file is clean (SHA-256: 56afe5133fdc5806ec6b19436f7b55f1499cfc94619740c171424fbcf7808fd3)
Seems to be triggered at logon. Anyone else seeing these? Suspect a false positive. All scans have come back clean
09-14-2023 12:42 PM
Some of our clients just started to update to 11044. We are still getting a bunch of these smss.exe detections but all of them are on clients still running 11011. Hopefully by tomorrow morning these will cease as the clients get the new definition update (11044). Thanks
09-14-2023 12:54 PM
Hey Roman,
per your update confirming that they did release a new BP update to resolve the remaining signatures that were causing FPs. Will this mean i can resolve the ones i have now?
09-15-2023 05:04 AM
You mean resolve them in your Inbox? if so then YES.
09-14-2023 12:49 PM
So it now confirmed as well. We just got another update that they did release BP update late last night to resolve the remaining signatures that were still causing FPs for some of our customers.
09-14-2023 01:19 PM - edited 09-14-2023 01:20 PM
Here's my output @Roman Valenta
C:\Program Files\Cisco\AMP\8.2.1.21612>ampcli posture
"connected":true,"connector_version":"8.2.1","engines":[{"definitions":[{"last_successful_update":1694717002,"name":"Tetra","timestamp":1694698347,"version":91242}],"enabled":true,"name":"Tetra"},{"enabled":true,"name":"Spero"},{"enabled":true,"name":"Ethos"},{"definitions":[{"name":"BP","timestamp":1694720952,"version":11044}],"enabled":true,"name":"BP"},{"definitions":[{"name":"SCS","timestamp":1694720935,"version":11044}],"enabled":true,"name":"SCS"}],"last_scan":1692637158,"last_scan_status":true,"protect_file_mode":true,"protect_process_mode":true,"running":true}
09-15-2023 05:04 AM
If anyone is still getting these alerts and are on 11044 BP release please open a TAC case and provide your AMP EDR business GUID from the Cloud console
09-18-2023 02:51 PM
We are still getting FP's from many of our Endpoints. Is there any way to check the BP release # remotely without having to go to the command line of the machine itself?
09-19-2023 11:32 AM
Kind of yes. It will be in Events and you just need to pick event type as shown in this picture. Since in my environment I have no failures I pick both including the succeed just to give you idea. In your case I would just search first for Update Failure and see if the endpoint that still reports show up on the list.
10-11-2023 01:24 PM - edited 10-11-2023 01:26 PM
Hello everyone,
I wanted to inform you that I've come across a threat detection related to the file smss.exe and its SHA-256 value (fe5ae6addf86f4005ca4b19a610d62a437f1c616867b7e52d5374de4f3d2be25). It's worth noting that, upon review, the file has been confirmed as clean, and my software is currently running the version 8.2.1.21612.
In my most recent scan, no threats were found, and the alert associated with this detection is categorized as low. I was wondering if any of you have also experienced similar issues after recent updates.
I appreciate any information or experiences you can share regarding this matter. Thank you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide