topic Re: problem endpoint signature generating large number of false positives? in Endpoint

problem endpoint signature generating large number of false positives?

LazarusG — Thu, 18 Sep 2025 09:45:19 GMT

We have a couple of customers reporting high attack rates in the portal and many applications being quarantined on their endpoints.

Doesn't seem to be any chatter on here - is anyone aware of a problem signature released into the wild or is their something more nefarious going on?

Thanks

Re: problem endpoint signature generating large number of false positives?

_Val_ — Thu, 18 Sep 2025 10:05:49 GMT

Not something known. If any doubt, reach out ot TAC and (probably) IR

Re: problem endpoint signature generating large number of false positives?

the_rock — Thu, 18 Sep 2025 10:06:52 GMT

When did this start happening?

Re: problem endpoint signature generating large number of false positives?

LazarusG — Thu, 18 Sep 2025 10:14:23 GMT

just getting wind of it from two customers in the last hour or two.

Re: problem endpoint signature generating large number of false positives?

the_rock — Thu, 18 Sep 2025 10:22:06 GMT

Will check later with one of our clients, still early here : - )

Andy

Re: problem endpoint signature generating large number of false positives?

LazarusG — Thu, 18 Sep 2025 10:23:31 GMT

both seem to be having high incidence of Protection name Gen.ML.SA - both will be logged to tac

Re: problem endpoint signature generating large number of false positives?

the_rock — Thu, 18 Sep 2025 10:24:51 GMT

Is there something you see in the portal itself or mostly on endpoint side of things? I ask that, because I have access to this customer's portal on the cloud, so can check any time.

Andy

Re: problem endpoint signature generating large number of false positives?

LazarusG — Thu, 18 Sep 2025 10:52:05 GMT

logs for blade:forensics - TAC have responded saying its a known issue.

Re: problem endpoint signature generating large number of false positives?

the_rock — Thu, 18 Sep 2025 10:57:03 GMT

Thanks for the update, appreciated!

Re: problem endpoint signature generating large number of false positives?

m25487 — Thu, 18 Sep 2025 10:59:36 GMT

We also have elective files in quarantine. Is there anything we can do?

Re: problem endpoint signature generating large number of false positives?

the_rock — Thu, 18 Sep 2025 11:01:30 GMT

Lets see if something official comes out in the meantime...

Re: problem endpoint signature generating large number of false positives?

LazarusG — Thu, 18 Sep 2025 11:19:57 GMT

sorry to hear that = guidance on my side is wait for official comment/fix

Re: problem endpoint signature generating large number of false positives?

LazarusG — Thu, 18 Sep 2025 13:08:00 GMT

TAC update from an hour ago;

"We have a fix for this global issue now. The clients will be upgraded automatically in the next 2-3 hours".

They say there is a script for if you need it more urgently.

Re: problem endpoint signature generating large number of false positives?

the_rock — Thu, 18 Sep 2025 13:09:55 GMT

Is the script public (ie part of sk) or has to be requested?

Andy

Re: problem endpoint signature generating large number of false positives?

LazarusG — Thu, 18 Sep 2025 13:48:45 GMT

im unaware of an SK so assume tac request - also wondering if the quarantined files will be released without intervention....

Re: problem endpoint signature generating large number of false positives?

the_rock — Thu, 18 Sep 2025 13:50:07 GMT

Yea...super valid point @LazarusG

Re: problem endpoint signature generating large number of false positives?

LazarusG — Thu, 18 Sep 2025 15:18:16 GMT

I suppose you could use a push operation to release quarantined files
Push Operations

else the AdminRemediationManagerUI.exe ..

But am not sure how things look in the customer estate now.

They did confirm no more logs since about 2hrs ago.

Re: problem endpoint signature generating large number of false positives?

the_rock — Thu, 18 Sep 2025 15:21:09 GMT

Thats true...IM not harmony endpoint guru by any means, but I do recall that sometimes even push operations can take some time and then eventually fail.

Andy

Re: problem endpoint signature generating large number of false positives?

the_rock — Fri, 19 Sep 2025 02:33:19 GMT

I also ended up opening TAC case for this today and they confirmed issue was fully fixed.

Andy

Re: problem endpoint signature generating large number of false positives?

Tom_Hinoue — Fri, 19 Sep 2025 02:47:52 GMT

We still have some customers that reported their applications are still quarantined even at this time.
Did TAC mention anything about what we need to do on client side like rebooting or manually updating the client status?

It's not realistic to release each app from quarantine with push operations.
There are dozens of apps that are quarantined on 1 client times by the number of actual customer devices..

Note, we already have a TAC case opened and pending their update.