Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1413
Views
2
Helpful
2
Replies

Multiple false positive events for wscript.exe

mski7861
Level 1
Level 1

‎01-23-2024 12:17 PM

Today we are seeing multiple high severity events being generated for wscript.exe sha256: 4173fc5a6864f03ab021823cd0f2f085ba85b3a9b1e37a2094798fc099507523

This is affecting multiple versions of the connector which is causing multiple endpoints to be placed into isolation.  

Is this a false positive/misclassification?

11 people had this problem
Labels:
2 Replies 2

RalphNelson
Level 1
Level 1

‎01-23-2024 10:32 PM - edited ‎01-23-2024 10:38 PM

Check the wscript.exe alert event details! (Detected as w32.4173FC5A68.infostealer-psexec.talos.sso)

See Annoucements Sections (Secure Endpoint)

False Positive Detections

Important Issue

 

Cisco is aware of the false positive detection(s) related to Cloud IOC: ExecutedMalware.ioc or Threat Name: w32.4173FC5A68.infostealer-psexec.talos.sso. The SHA256 involved is 4173fc5a6864f03ab021823cd0f2f085ba85b3a9b1e37a2094798fc099507523. The disposition is being reviewed and Cisco is investigating the root cause. We apologize for any inconvenience this may have caused.

muncky1
Level 1
Level 1

‎01-23-2024 10:35 PM

This is FP. Cisco is aware of this. This is what they sent

Cisco is aware of the false positive detection(s) related to Cloud IOC: ExecutedMalware.ioc or Threat Name: w32.4173FC5A68.infostealer-psexec.talos.sso. The SHA256 involved is 4173fc5a6864f03ab021823cd0f2f085ba85b3a9b1e37a2094798fc099507523. The disposition is being reviewed and Cisco is investigating the root cause. We apologize for any inconvenience this may have caused.

0 Helpful
Customers Also Viewed These Support Documents