System Restore Disabled via Registry

Frank Roche · ‎02-27-2024

I have 77 occurences of this this morning in AMP. Yet when I go into these systems and review the registry, it has not been changed. We don't even use system restore. Could this be a false positive?

Ken Stieers · ‎02-27-2024

This is a false positive.
In your console, in the upper left there's a bell... Click on the bell, you'll see the announcement to that effect.

________________________________

This email is intended solely for the use of the individual to whom it is addressed and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If the reader of this email is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited.
If you have received this communication in error, please immediately notify us by telephone and return the original message to us at the listed email address.
Thank You.

Frank Roche · ‎02-27-2024

Thanks!

mski7861 · ‎02-27-2024

I'm all about security, however it seems like false positives are happening more often lately. What's worse is we have automated isolation actions configured and when a false positive triggers, it makes for a bad day.

Roman Valenta · ‎02-27-2024

Please check this post for more details...

https://community.cisco.com/t5/endpoint-security/tinyturlav2-service-created-false-positive-detection/td-p/5024861/page/2

But ultimately we got hit with two False Positive events , see bellow..

First Seen: 2024-02-26 17:33:47
TinyTurlaV2-ServiceCreated

BP Signature 13381 fixes TinyTurlaV2-ServiceCreated issue

First Seen: 2024-02-26 09:28:00
System-Restore

BP Signature 13380 fixes the System-Restore issue