cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7602
Views
40
Helpful
30
Replies

TinyTurlaV2 Service Created - False positive detection

Leijonbo
Level 1
Level 1

Today we see a lot of Threat detections that detect TinyTurlaV2 Service Created. 

I just wonder if this has something to do with the False Positive Detections on Behaviorla Protection that Cisco annonsed yeasterday evening. It looks like this detections started at the same time so therefore my question. 

Also found this question on TinyTurlaV2 Service : r/DefenderATP (reddit.com)

1 Accepted Solution

Accepted Solutions

Roman Valenta
Cisco Employee
Cisco Employee

Looks like all the queue finally got processed as I see some BP updates in my own portal and the newest BP signature is 13411 as of right now 8:40pm EST

 

View solution in original post

30 Replies 30

alexdeschrijver
Level 1
Level 1

did anyone got a response of Cisco's them self already?

Bunged
Level 1
Level 1

We saw the same thing in our environment.




 

You beat me to it. This has to stop. 50% of our endpoints are highlighted.

That is also a false positive.

tashe
Level 1
Level 1

Hello,

I just received confirmation from cisco tac support team that TinyTurlaV2 is a false positive detection.

"The Talos has already revoked affected signature versions and the connectors should be updating with the corrected signature bundle".

 

ventaran
Level 1
Level 1

Just got confirmation this is a FalsePositive as well

joe5961
Level 1
Level 1

We received notice from our Managed Service Provider who is partnered with Cisco.  They acknowledged receiving word from Cisco that these were false positives.  Cisco is supposed to be releasing an updated signature to correct the issue.  Not sure when that will be. But it has created a lot of alerts on our end.  Nerve racking.....

The fix for the System Restore reg key went out yesterday afternoon, per discussion in the Secure Endpoint Webex team

Not sure if/when the TinyTurla fix went.

J Hefner
Level 1
Level 1

Has anyone else been able to trace what apps are triggering these False Positives? I was under the impression these were supposed to have been fixed 24 hours ago.

 

Roman Valenta
Cisco Employee
Cisco Employee

As long as your BP signature is updated you should be no longer receiving these false positive events. The fix was implemented yesterday but if for some reason (PC offline) you are still on the old BP signature you will continue receiving these alerts until the Signature is updated.

You can manually update through cmd line: C:\Program Files\Cisco\AMP\Your-Connector-Version\sfc.exe -forceApdeUpdate

First Seen: 2024-02-26 17:33:47
TinyTurlaV2-ServiceCreated

BP Signature 13381 fixes TinyTurlaV2-ServiceCreated issue

First Seen: 2024-02-26 09:28:00
System-Restore

BP Signature 13380 fixes the System-Restore issue

 

Hope this help....

 

According to our testing and other articles on web, sfc.exe -forceApdeUpdate updates only Tetra engine. BP engine signature set stayed the same.

hanculak
Level 1
Level 1

It seems that affected Behavioral Protection Signature Set is version 13357. As soon as signature set is updated to this version, events start coming. Signature set version 12887 seems to be safe.

Looks like our servers are overwhelmed with delayed jobs which might be the cause why the signatures are not updating. Note was just released in the portal  to confirm the same...

 

Screenshot_3130.png

 

 

Vince3889
Level 1
Level 1

All configured email alerts stopped in our environment since this whole 2-false-positive mess began. Has anyone else experienced this as well? Did Cisco turn off email alerting anyone know?