KES 11.0.6499 Windows 10 suspect false positive

[Omarinho]

Hello, I'm after some advice. We use KES 11.0.6499 pf5101 on our estate of around 800 Windows 10 devices. We also use this alongside Windows Defender Advanced Threat Protection. We have an instance of one device triggering a suspected false positive. This tends to happen without user intervention i.e. this threat occured outside of office hours when the user had simply logged off the machine and left it turned on for the day. I'm wondering if someone can confirm or provide clarification on this alert. Any advice would be appreciated Event type: A backup copy of the object was created Application\Name: Windows Defender Advanced Threat Protection Service Executable Application\Path: C:\Program Files\Windows Defender Advanced Threat Protection\ Application\Process ID: 4348 User: F4\xxxx (Active user) Component: File Threat Protection Result\Description: Backup created Result\Type: Adware Result\Name: not-a-virus:HEUR:AdWare.Script.SearchExt.gen Result\Threat level: Medium Result\Precision: Partially Object: C:\Users\xxxx\AppData\Local\Temp\7745a4f1-50e3-42fa-a4f0-3cda56888e0c.tmp Object\Type: File Object\Path: C:\Users\xxxx\AppData\Local\Temp\ Object\Name: 7745a4f1-50e3-42fa-a4f0-3cda56888e0c.tmp Hash: 94ba1af36e29fd4775e113a2e75dc3ed9e481695e067d967ad96daa2fb860b1a

[Dmitry Parshutin]

Hello, I'm after some advice. We use KES 11.0.6499 pf5101 on our estate of around 800 Windows 10 devices. We also use this alongside Windows Defender Advanced Threat Protection. We have an instance of one device triggering a suspected false positive. This tends to happen without user intervention i.e. this threat occured outside of office hours when the user had simply logged off the machine and left it turned on for the day. I'm wondering if someone can confirm or provide clarification on this alert. Any advice would be appreciated Event type: A backup copy of the object was created Application\Name: Windows Defender Advanced Threat Protection Service Executable Application\Path: C:\Program Files\Windows Defender Advanced Threat Protection\ Application\Process ID: 4348 User: F4\xxxx (Active user) Component: File Threat Protection Result\Description: Backup created Result\Type: Adware Result\Name: not-a-virus:HEUR:AdWare.Script.SearchExt.gen Result\Threat level: Medium Result\Precision: Partially Object: C:\Users\xxxx\AppData\Local\Temp\7745a4f1-50e3-42fa-a4f0-3cda56888e0c.tmp Object\Type: File Object\Path: C:\Users\xxxx\AppData\Local\Temp\ Object\Name: 7745a4f1-50e3-42fa-a4f0-3cda56888e0c.tmp Hash: 94ba1af36e29fd4775e113a2e75dc3ed9e481695e067d967ad96daa2fb860b1a

Hello! First of all you need to check target host to some advertising applications and extensions for browsers. Thank you!

[Omarinho]

Hello, I'm after some advice. We use KES 11.0.6499 pf5101 on our estate of around 800 Windows 10 devices. We also use this alongside Windows Defender Advanced Threat Protection. We have an instance of one device triggering a suspected false positive. This tends to happen without user intervention i.e. this threat occured outside of office hours when the user had simply logged off the machine and left it turned on for the day. I'm wondering if someone can confirm or provide clarification on this alert. Any advice would be appreciated Event type: A backup copy of the object was created Application\Name: Windows Defender Advanced Threat Protection Service Executable Application\Path: C:\Program Files\Windows Defender Advanced Threat Protection\ Application\Process ID: 4348 User: F4\xxxx (Active user) Component: File Threat Protection Result\Description: Backup created Result\Type: Adware Result\Name: not-a-virus:HEUR:AdWare.Script.SearchExt.gen Result\Threat level: Medium Result\Precision: Partially Object: C:\Users\xxxx\AppData\Local\Temp\7745a4f1-50e3-42fa-a4f0-3cda56888e0c.tmp Object\Type: File Object\Path: C:\Users\xxxx\AppData\Local\Temp\ Object\Name: 7745a4f1-50e3-42fa-a4f0-3cda56888e0c.tmp Hash: 94ba1af36e29fd4775e113a2e75dc3ed9e481695e067d967ad96daa2fb860b1a

Hello! First of all you need to check target host to some advertising applications and extensions for browsers. Thank you!

Hello, I believe that the most likely culprit was that the user was synchronising their personal google account with Google Chrome. We're in the process of initiating a full scan after disabling it and will update further if there is any known issues. Thanks,

[Nikolay Arinchev]

Hi, Thank you for that info! Please keep us updated!

[Omarinho]

Looks good so far. This can be closed now. Thanks for the suggestion!