Incident question - svchost without signature?

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Incident question - svchost without signature?

L3 Networker

Hello dear community, 


you know how to handle this svchost.exe without signature? In my opinion it is FP, but why?

Isn't it possible for the cortex agent to read the signature from svchost.exe in this case?






I tweaked the alert and gave it medium severity and some more applications. 







L3 Networker

Hi @RFeyertag,


It's a little odd that svchost.exe doesn't have a digital signature and I would like to ask you if you can run an XQL query against this endpoint and identify if the svchost.exe on that endpoint is indeed unsigned or not (please see the query below)?


dataset = xdr_data
| filter agent_hostname = "<endpoint_hostname>" and causality_actor_process_image_name="svchost.exe"
| fields causality_actor_process_image_name, actor_process_signature_vendor, actor_process_signature_status




Silviu-Mihail Dascalu

Hello Silviu, 


yes, I get a few results. See screenshot below. I get these incidents on another computer too and on another pc with explorer.exe. 

In summary there are 3 incidents and I need to know, if this is a FP or not. 






L3 Networker

Hi @RFeyertag 


Please open a TAC case in order for this to be investigated properly as it seems there are some miss matches between the XQL results and the alert info. 

Silviu-Mihail Dascalu
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!