08-04-2022 07:45 PM
Hi community,
Wondering if anyone else is seeing BT alerts for sdiagnhost.exe appearing over the last 24 hours? We have had similar things occur in the past due to over excited signature updates cause false positives.
This process is one that MSDT Follina uses but the servers it popping up on do not run any Office products running so confident it's not that, and mitigated MSDT issues back when they first hit the news.
Cheers
08-05-2022 12:45 AM
Hi, we are observing the same behaviour on different customers, some of them are behind the patch level but others are not.. We are concerned over Follina too, because for some of the alerts we had confirmation of unsolicited mail with attachments but, for other systems, there were no reason for an alert...
08-05-2022 02:37 AM
We opened a ticket with the support, just in case.
08-05-2022 04:16 AM
Hi @adminBandE and @RobertoPastorino
as Roberto has done, I would recommend to open a TAC support ticket under if you suspect that there is a weird behavior of BT protection. On top of that observe and investigate the incidents related to these alerts and do not discard them as a false positive until you are sure that it really is a false positive.
KR,
Luis
08-08-2022 12:24 AM
Support replied confirming the issue as a false positive that will be addressed in a minor CU release due this week.
In the meantime they suggested the creation of an alert exclusion for the CGO path and process for the affected agents only, to be removed after the CU is released.
Given the elusivity of the exploit, the fact that some bu are deaf on the necessity of quick patching and that for at least two endpoints there were a confirmed case of downloaded unsolicited email with office attachments, I will treat this case as a true positive, waiting for the CU to be released.
BR
08-08-2022 07:42 AM
Thank you for sharing their response! We have not implemented a "bypass" we are seeing no negative effects of the blocking besides the alert messages. We will wait for them to patch it. Have a good monday!
08-09-2022 03:49 PM
We are also ignoring due to the risk of missing a legitimate alert. Not seeing this occur much in the environment and only on servers, thankfully.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
