Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
08-06-2022 10:36 AM
Hello dear community,
you know how to handle this svchost.exe without signature? In my opinion it is FP, but why?
Isn't it possible for the cortex agent to read the signature from svchost.exe in this case?
I tweaked the alert and gave it medium severity and some more applications.
BR
Rob
08-08-2022 06:05 AM
Hi @RFeyertag,
It's a little odd that svchost.exe doesn't have a digital signature and I would like to ask you if you can run an XQL query against this endpoint and identify if the svchost.exe on that endpoint is indeed unsigned or not (please see the query below)?
dataset = xdr_data
| filter agent_hostname = "<endpoint_hostname>" and causality_actor_process_image_name="svchost.exe"
| fields causality_actor_process_image_name, actor_process_signature_vendor, actor_process_signature_status
Thanks,
Silviu
08-08-2022 07:45 AM
Hello Silviu,
yes, I get a few results. See screenshot below. I get these incidents on another computer too and on another pc with explorer.exe.
In summary there are 3 incidents and I need to know, if this is a FP or not.
BR
Rob
08-08-2022 07:54 AM
Hi @RFeyertag
Please open a TAC case in order for this to be investigated properly as it seems there are some miss matches between the XQL results and the alert info.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
