Cybersec/SecOps
Hi. I just would like a clarification for this issue i have. Falcon alert is detecting malware coming from an end-user. cynetEPS.exe as the triggering indicator associated with IoC (hash file). I'd like to know if this is a false positive. Falcon blocked it and i havent checked yet if cynet was installed or already installed or a client tool. It might be a masquerade or what. I'd like to know what you guys think about this. Thanks
7 Replies
can you share the hash by chance?
hashes are a reliable indicator; I'm not familiar with that specific malware though, it could be something that you wouldn't consider malware.
Unfortunately, i dont have the authority to view the hash. I was tasked to verify if cynet is installed in the system. But i wanna go an extra mile to at least determine what was the actual cause as it might happen again
you would have to dig through logs to do something like that
its very doable, but takes some skill
if you have powershell access
The location of Cynet could help you identify if the issue is actually a problem or not:
or in powershell:
You can also check the execution history of that file:
( I am not sure about the ID but I think that might be the correct one! )
I hope something of these helps you out!
I should have thought of that. Much easier. Thank you for helping out.
No problem at all. By the way my DMs are always open for help!