Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6845
Views
6
Helpful
5
Replies

W32.MAP.Ransomware.rwd.

Go to solution
Paladin
Level 1
Level 1

‎09-03-2021 06:38 AM - edited ‎09-03-2021 06:40 AM

Sha 256 e5dccb33478bf13629d0a3f0ba7daceb56d7792e0132886ed129334ec6bb2a33 detected by MAP and convicted as 

 W32.MAP.Ransomware.rwd.  Found this post https://quickview.cloudapps.cisco.com/quickview/bug/CSCvq59864, my Connector version is 7.4.1.20439. Not a known affected version. False positive? 

 

Event Details
Medium
2021-09-03 12:40:43 UTC

MAP detected d8e57517-45af-4d42-a2f1-7844fb9956ae.exe, Sontheim Components-1.07.6504-12 - #12 Full 12.0.21175.732 (e5dccb33…c6bb2a33) as W32.MAP.Ransomware.rwd.

by AGCOUpdateService.exe, AGCOUpdateService for .NET 4.6.2 1.21.7684.29091 (87eb220c…22037f3b)[Unknown] executing as SYSTEM@NT AUTHORITY.

The file was not quarantined. Error: Cannot delete file.

Affected Files Count: 5

Affected Files:

C:\Windows\Temp\d5ed4260-0cb4-11ec-4823-4bb689ee0029\deltapackage\1\9

C:\Windows\Temp\d5ed4260-0cb4-11ec-4823-4bb689ee0029\deltapackage\1\10

C:\Windows\Temp\d5ed4260-0cb4-11ec-4823-4bb689ee0029\deltapackage\1\12

C:\Windows\Temp\d5ed4260-0cb4-11ec-4823-4bb689ee0029\deltapackage\1\11

C:\Windows\Temp\d5ed4260-0cb4-11ec-4823-4bb689ee0029\deltapackage\1\13

 

File full path: C:\ProgramData\AGCO Corporation\AGCO Update\d8e57517-45af-4d42-a2f1-7844fb9956ae.exe

File SHA-1: ae4ddbe24fb08d39791918d2a0ca8c94ab5de8f0.

File MD5: 075e4668ceca61859906d5288fbfd702.

File size: 183808096 bytes.

File signed by AGCO Corporation with certificate serial 2 from thawte SHA256 Code Signing CA. Expires NaN:NaN:NaN, NaN 0NaN UTC. the certificate was warn trusted

Parent file SHA-1: efff229cbfa81dd4d4f35f5adaae0bbd100667f0.

Parent file MD5: 4ecbfbc987d8072846c6115b028dc471.

Parent file size: 1938344 bytes.

Parent file age: 0 seconds.

Parent file signed by AGCO Corporation with certificate serial 2 from thawte SHA256 Code Signing CA. Expires NaN:NaN:NaN, NaN 0NaN UTC. the certificate was warn trusted

Parent file cert MD5: b1bcf6b5b1954a4dd1cb0de00cfbe3ba.

Parent file cert SHA-1: 159bf94e915ba45752d31b62979a3acf93bea108.

Parent process id: 5340.

Parent process SID: S-1-5-18 (Local System).

 
 
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Wojciech Cecot
Cisco Employee
Cisco Employee

‎09-13-2021 12:47 AM

Hello Paladin,

bug CSCvq59864 was fixed and shouldn't affect any 7.x or later Secure Endpoint connectors. Regarding detection that you see, it is related to MAP engine (Malicious Activity Protection) rule “rwd”: reading, writing and deleting a set of files within short span of time. That happens with some softwares, especially during update. If you are certain that is legitimate software you can always create exclusion of following type: Process > Malicious Activity (for MAP engine) by using either Path of SHA.

Hope that help

Wojciech

View solution in original post

5 Replies 5

Go to solution
Wojciech Cecot
Cisco Employee
Cisco Employee

‎09-13-2021 12:47 AM

Hello Paladin,

bug CSCvq59864 was fixed and shouldn't affect any 7.x or later Secure Endpoint connectors. Regarding detection that you see, it is related to MAP engine (Malicious Activity Protection) rule “rwd”: reading, writing and deleting a set of files within short span of time. That happens with some softwares, especially during update. If you are certain that is legitimate software you can always create exclusion of following type: Process > Malicious Activity (for MAP engine) by using either Path of SHA.

Hope that help

Wojciech

Go to solution
tiaandra
Cisco Employee
Cisco Employee
In response to Wojciech Cecot

‎05-20-2025 04:15 AM

I have secure endpoint > 7.x but still having this issue.

Can you clarify how I set the exclusion ?

 

Cisco Secure Client 5.1.7.1336  
(Tue May 20 12:13:17 2025)
Secure Endpoint 8.2.3.30119
0 Helpful

Go to solution
Roman Valenta
Cisco Employee
Cisco Employee
In response to tiaandra

‎05-20-2025 06:46 AM

This is over 4yrs old threat about specific FP event. When you saying that you have the same issue what exactly you referring to? 

Lastly if you need to apply sets of exclusions you need to have access to the Secure Endpoint Dashboard and be the administrator in that ORG.

0 Helpful

Go to solution
tiaandra
Cisco Employee
Cisco Employee

‎05-20-2025 10:02 AM

hi, I'm getting this error after I install Paint.NET - Free Software for Digital Photo Editing 

I'm not an admin so I guess I'm stuck ?! do you know how I can request an exception to this ?

0 Helpful

Go to solution
Matthew Franks
Cisco Employee
Cisco Employee

‎05-20-2025 10:45 AM

For exceptions withing your organization, you'll have to reach out to one of your organization admins so they can determine the risk and add an exception if appropriate. That isn't something we can do for you.

Thanks,

Matt

Customers Also Viewed These Support Documents