09-03-2021 06:38 AM - edited 09-03-2021 06:40 AM
Sha 256 e5dccb33478bf13629d0a3f0ba7daceb56d7792e0132886ed129334ec6bb2a33 detected by MAP and convicted as
W32.MAP.Ransomware.rwd. Found this post https://quickview.cloudapps.cisco.com/quickview/bug/CSCvq59864, my Connector version is 7.4.1.20439. Not a known affected version. False positive?
MAP detected d8e57517-45af-4d42-a2f1-7844fb9956ae.exe, Sontheim Components-1.07.6504-12 - #12 Full 12.0.21175.732 (e5dccb33…c6bb2a33) as W32.MAP.Ransomware.rwd.
by AGCOUpdateService.exe, AGCOUpdateService for .NET 4.6.2 1.21.7684.29091 (87eb220c…22037f3b)[Unknown] executing as SYSTEM@NT AUTHORITY.
The file was not quarantined. Error: Cannot delete file.
Affected Files Count: 5
Affected Files:
C:\Windows\Temp\d5ed4260-0cb4-11ec-4823-4bb689ee0029\deltapackage\1\9
C:\Windows\Temp\d5ed4260-0cb4-11ec-4823-4bb689ee0029\deltapackage\1\10
C:\Windows\Temp\d5ed4260-0cb4-11ec-4823-4bb689ee0029\deltapackage\1\12
C:\Windows\Temp\d5ed4260-0cb4-11ec-4823-4bb689ee0029\deltapackage\1\11
C:\Windows\Temp\d5ed4260-0cb4-11ec-4823-4bb689ee0029\deltapackage\1\13
File full path: C:\ProgramData\AGCO Corporation\AGCO Update\d8e57517-45af-4d42-a2f1-7844fb9956ae.exe
File SHA-1: ae4ddbe24fb08d39791918d2a0ca8c94ab5de8f0.
File MD5: 075e4668ceca61859906d5288fbfd702.
File size: 183808096 bytes.
File signed by AGCO Corporation with certificate serial 2 from thawte SHA256 Code Signing CA. Expires NaN:NaN:NaN, NaN 0NaN UTC. the certificate was warn trusted
Parent file SHA-1: efff229cbfa81dd4d4f35f5adaae0bbd100667f0.
Parent file MD5: 4ecbfbc987d8072846c6115b028dc471.
Parent file size: 1938344 bytes.
Parent file age: 0 seconds.
Parent file signed by AGCO Corporation with certificate serial 2 from thawte SHA256 Code Signing CA. Expires NaN:NaN:NaN, NaN 0NaN UTC. the certificate was warn trusted
Parent file cert MD5: b1bcf6b5b1954a4dd1cb0de00cfbe3ba.
Parent file cert SHA-1: 159bf94e915ba45752d31b62979a3acf93bea108.
Parent process id: 5340.
Parent process SID: S-1-5-18 (Local System).
Solved! Go to Solution.
09-13-2021 12:47 AM
Hello Paladin,
bug CSCvq59864 was fixed and shouldn't affect any 7.x or later Secure Endpoint connectors. Regarding detection that you see, it is related to MAP engine (Malicious Activity Protection) rule “rwd”: reading, writing and deleting a set of files within short span of time. That happens with some softwares, especially during update. If you are certain that is legitimate software you can always create exclusion of following type: Process > Malicious Activity (for MAP engine) by using either Path of SHA.
Hope that help
Wojciech
09-13-2021 12:47 AM
Hello Paladin,
bug CSCvq59864 was fixed and shouldn't affect any 7.x or later Secure Endpoint connectors. Regarding detection that you see, it is related to MAP engine (Malicious Activity Protection) rule “rwd”: reading, writing and deleting a set of files within short span of time. That happens with some softwares, especially during update. If you are certain that is legitimate software you can always create exclusion of following type: Process > Malicious Activity (for MAP engine) by using either Path of SHA.
Hope that help
Wojciech
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide