topic Re: Anti-bot events today 12-19 in Endpoint

Anti-bot events today 12-19

Kevin_T600 — Wed, 19 Dec 2018 21:07:55 GMT

Anyone else running into a bunch of anti-bot detection events today? All of a sudden we have 80+ clients logging anti-bot detection events. Services flagged are svchost/chrome/IE.

Most are tagged as Phising_website.bynzq

Trying to work with support, but they seem overwhelmed and don't have anyone available.

Curious if anyone else has seen these today.

Re: Anti-bot events today 12-19

PhoneBoy — Thu, 20 Dec 2018 00:58:51 GMT

Can you send me the TAC case you opened in a PM?

Re: Anti-bot events today 12-19

Kevin_T600 — Thu, 20 Dec 2018 01:41:31 GMT

sent a message:

As an update, it appears all of the events are trying to go to the same destination:

ord30s26-in-f238.1e100.net (216.58.192.238)

That appears to be a google hosted site, and virus total has it checked as clean. Not sure why Endpoint is flagging that activity, looks like a false positive, but trying to verify that.

Re: Anti-bot events today 12-19

PhoneBoy — Thu, 20 Dec 2018 05:19:19 GMT

Can you post a screenshot of the blocks you're seeing?

Re: Anti-bot events today 12-19

Kevin_T600 — Thu, 20 Dec 2018 12:07:29 GMT

Turns out it was indeed a false positive, that impacts all version of the clients. Will be fixed in version 80.90 I guess. The fix I was given was to update all the clients to that version whenever it come out.

Apparently R&D found out about it yesterday afternoon, sadly that didn't get shared with support or Incident Response until overnight.

Re: Anti-bot events today 12-19

PhoneBoy — Thu, 20 Dec 2018 17:55:53 GMT

I was told the same thing through my contacts.