Solved: TinyTurlaV2 Service Created - False positive detection

Leijonbo · ‎02-26-2024

Today we see a lot of Threat detections that detect TinyTurlaV2 Service Created.

I just wonder if this has something to do with the False Positive Detections on Behaviorla Protection that Cisco annonsed yeasterday evening. It looks like this detections started at the same time so therefore my question.

Also found this question on TinyTurlaV2 Service : r/DefenderATP (reddit.com)

Roman Valenta · ‎02-27-2024

Looks like all the queue finally got processed as I see some BP updates in my own portal and the newest BP signature is 13411 as of right now 8:40pm EST

View solution in original post

alexdeschrijver · ‎02-27-2024

did anyone got a response of Cisco's them self already?

Bunged · ‎02-27-2024

We saw the same thing in our environment.

ventaran · ‎02-27-2024

You beat me to it. This has to stop. 50% of our endpoints are highlighted.

Ken Stieers · ‎02-27-2024

That is also a false positive.

tashe · ‎02-27-2024

Hello,

I just received confirmation from cisco tac support team that TinyTurlaV2 is a false positive detection.

"The Talos has already revoked affected signature versions and the connectors should be updating with the corrected signature bundle".

ventaran · ‎02-27-2024

Just got confirmation this is a FalsePositive as well

joe5961 · ‎02-27-2024

We received notice from our Managed Service Provider who is partnered with Cisco. They acknowledged receiving word from Cisco that these were false positives. Cisco is supposed to be releasing an updated signature to correct the issue. Not sure when that will be. But it has created a lot of alerts on our end. Nerve racking.....

Ken Stieers · ‎02-27-2024

The fix for the System Restore reg key went out yesterday afternoon, per discussion in the Secure Endpoint Webex team

Not sure if/when the TinyTurla fix went.

J Hefner · ‎02-27-2024

Has anyone else been able to trace what apps are triggering these False Positives? I was under the impression these were supposed to have been fixed 24 hours ago.

Roman Valenta · ‎02-27-2024

As long as your BP signature is updated you should be no longer receiving these false positive events. The fix was implemented yesterday but if for some reason (PC offline) you are still on the old BP signature you will continue receiving these alerts until the Signature is updated.

You can manually update through cmd line: C:\Program Files\Cisco\AMP\Your-Connector-Version\sfc.exe -forceApdeUpdate

First Seen: 2024-02-26 17:33:47
TinyTurlaV2-ServiceCreated

BP Signature 13381 fixes TinyTurlaV2-ServiceCreated issue

First Seen: 2024-02-26 09:28:00
System-Restore

BP Signature 13380 fixes the System-Restore issue

Hope this help....

hanculak · ‎02-27-2024

According to our testing and other articles on web, sfc.exe -forceApdeUpdate updates only Tetra engine. BP engine signature set stayed the same.

hanculak · ‎02-27-2024

It seems that affected Behavioral Protection Signature Set is version 13357. As soon as signature set is updated to this version, events start coming. Signature set version 12887 seems to be safe.

Roman Valenta · ‎02-27-2024

Looks like our servers are overwhelmed with delayed jobs which might be the cause why the signatures are not updating. Note was just released in the portal to confirm the same...

Vince3889 · ‎02-27-2024

All configured email alerts stopped in our environment since this whole 2-false-positive mess began. Has anyone else experienced this as well? Did Cisco turn off email alerting anyone know?