Solved: Re: TinyTurlaV2 Service Created - False positive detection - Page 2

Leijonbo · ‎02-26-2024

Today we see a lot of Threat detections that detect TinyTurlaV2 Service Created.

I just wonder if this has something to do with the False Positive Detections on Behaviorla Protection that Cisco annonsed yeasterday evening. It looks like this detections started at the same time so therefore my question.

Also found this question on TinyTurlaV2 Service : r/DefenderATP (reddit.com)

emapsit · ‎02-27-2024

I received an alert 2024-02-2617:21UTC for the System Restore Disabled by Registry. After that nothing. Thought I was missing something with my alerts.

Ken Stieers · ‎02-27-2024

I also haven't gotten anything from these...
Though I should have.
My subscription is still in place.

________________________________

This email is intended solely for the use of the individual to whom it is addressed and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If the reader of this email is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited.
If you have received this communication in error, please immediately notify us by telephone and return the original message to us at the listed email address.
Thank You.

dwillia5@highpoint.edu · ‎02-27-2024

@Vince3889Our email alerts are not working either. Cisco really has stepped in it this time.

TaylorOfTheCave · ‎02-27-2024

Vince - I think you'll note that it's not that the email alerts aren't working - it's that the events that trigger the email alerts aren't being logged/generated and as a result of that the email alerts don't trigger.

If you were getting the events logged as they ought to be you'd get the emails. They're not logging the events appropriately, so you're not getting the emails.

This is a Sev1 outage on the Cisco end despite no notification saying so or acknowledgement on their Status page.

ThinkG_AB · ‎02-27-2024

Not sure they turned it off, seems the flood of events may of DDOS'd their servers
We are not getting any email notifications at the moment.

emapsit · ‎02-27-2024

Refreshed my inbox and found this alert. It wasn't there an hour ago but says it's been there for 8 hours.

Vince3889 · ‎02-27-2024

Thanks @emapsit & @Ken Stieers . Seeing these 2 messages now:

I guess this is like 'retrospective detections' but applied to system messages? I wanna rant so bad right now, this is testing the limits of self-control.

Ken Stieers · ‎02-27-2024

I hear you...
I think the whole pipeline of outbound data is clogged... Events, notifications, updates, everything...

________________________________

This email is intended solely for the use of the individual to whom it is addressed and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If the reader of this email is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited.
If you have received this communication in error, please immediately notify us by telephone and return the original message to us at the listed email address.
Thank You.

Matthew Franks · ‎02-27-2024

You're correct Ken. We have a backup of jobs getting processed due to the FPs and have been allocating resources to get them processed as quickly as possible. We're anticipating being caught up within the next couple of hours.

-Matt

Roman Valenta · ‎02-27-2024

Looks like all the queue finally got processed as I see some BP updates in my own portal and the newest BP signature is 13411 as of right now 8:40pm EST

cbmvmr · ‎02-28-2024

These false positive episodes happen with increasing frequency over the past year, and are incredibly nerve-wracking. The one-two punch of the System Restore disabled and APT service created is the last straw for our org. Cisco does not seem to have a good product strategy in place, so we're moving to C-strike.

I know we're a small fish in a large pond, but enough is enough. We're going to end up missing a REAL alert one day because we just can't trust Cisco products anymore.

Josh M · ‎02-28-2024

I agree. This could not have occurred at a more terrible time, especially since last week United Health was breached by an APT. My org wanted to tighten its belt in regards to security, which meant turning on Automatic isolation for Cisco Secure Endpoint and then I wake up to dozens of machines being falsely isolated and **bleep** near had a heart attack when I see APT threats on my endpoints. Imagine if a critical server or domain controller had been falsely isolated? This is a no-go for the healthcare sector.

Cisco's EDR products continue to disappoint. I'll be encouraging leadership to look elsewhere.

Roman Valenta · ‎03-01-2024

Final note:

Fort all 3 incidents bellow.

- TinyTurlaV2

- System Restore Disabled via Registry

- Delayed Jobs

Cisco Official RCA was released and those can be requested through your existing TAC Case.

Roman Valenta · ‎03-05-2024

Now available to public as well...

Cisco Secure Endpoint - False Positive Incident on 26-27th February

https://community.cisco.com/t5/security-urgent-notices-knowledge-base/cisco-secure-endpoint-false-positive-incident-on-26-27th/ta-p/5033899

Leijonbo · ‎03-05-2024

Hi!
Is this public? I got Access Denied when click on the link.