topic Re: Behavioral Threat alerts for sdiagnhost.exe spawning cronhost.exe - false positive? in Cortex XDR Discussions

Behavioral Threat alerts for sdiagnhost.exe spawning cronhost.exe - false positive?

adminBandE — Fri, 05 Aug 2022 02:45:21 GMT

Hi community,

Wondering if anyone else is seeing BT alerts for sdiagnhost.exe appearing over the last 24 hours? We have had similar things occur in the past due to over excited signature updates cause false positives.

This process is one that MSDT Follina uses but the servers it popping up on do not run any Office products running so confident it's not that, and mitigated MSDT issues back when they first hit the news.

Cheers

Re: Behavioral Threat alerts for sdiagnhost.exe spawning cronhost.exe - false positive?

RobertoPastorino — Fri, 05 Aug 2022 07:45:54 GMT

Hi, we are observing the same behaviour on different customers, some of them are behind the patch level but others are not.. We are concerned over Follina too, because for some of the alerts we had confirmation of unsolicited mail with attachments but, for other systems, there were no reason for an alert...

Re: Behavioral Threat alerts for sdiagnhost.exe spawning cronhost.exe - false positive?

RobertoPastorino — Fri, 05 Aug 2022 09:37:31 GMT

We opened a ticket with the support, just in case.

Re: Behavioral Threat alerts for sdiagnhost.exe spawning cronhost.exe - false positive?

eluis — Fri, 05 Aug 2022 11:16:50 GMT

Hi @adminBandE and @RobertoPastorino

as Roberto has done, I would recommend to open a TAC support ticket under if you suspect that there is a weird behavior of BT protection. On top of that observe and investigate the incidents related to these alerts and do not discard them as a false positive until you are sure that it really is a false positive.

KR,
Luis

Re: Behavioral Threat alerts for sdiagnhost.exe spawning cronhost.exe - false positive?

Dclark190 — Fri, 05 Aug 2022 17:50:50 GMT

Yes, we are seeing them as well. Microsoft released a patch for Follina about 2.5 weeks ago. I can only assume something they patched is triggering this event.

Re: Behavioral Threat alerts for sdiagnhost.exe spawning cronhost.exe - false positive?

RobertoPastorino — Mon, 08 Aug 2022 07:24:30 GMT

Support replied confirming the issue as a false positive that will be addressed in a minor CU release due this week.

In the meantime they suggested the creation of an alert exclusion for the CGO path and process for the affected agents only, to be removed after the CU is released.

Given the elusivity of the exploit, the fact that some bu are deaf on the necessity of quick patching and that for at least two endpoints there were a confirmed case of downloaded unsolicited email with office attachments, I will treat this case as a true positive, waiting for the CU to be released.

Re: Behavioral Threat alerts for sdiagnhost.exe spawning cronhost.exe - false positive?

Dclark190 — Mon, 08 Aug 2022 14:42:53 GMT

Thank you for sharing their response! We have not implemented a "bypass" we are seeing no negative effects of the blocking besides the alert messages. We will wait for them to patch it. Have a good monday!

Re: Behavioral Threat alerts for sdiagnhost.exe spawning cronhost.exe - false positive?

adminBandE — Tue, 09 Aug 2022 22:49:27 GMT

We are also ignoring due to the risk of missing a legitimate alert. Not seeing this occur much in the environment and only on servers, thankfully.