KES Advance v11 - MS Teams Cache false positives

[RoyW]

Hi All,

We are running KES Advances V11 and we have a small quantity of users that use Roaming Profiles.

At the end of their sessions, their profiles are transfered to the main file server as is usual.  For the last three days we are now recieving alerts of “cryptor style“ variants due to the files that MS Teams uses for it own caching purposes.   The files are sequentially named f_000XX etc ..

The files are held within the following directory

\\profiles\[username]\AppData\Roaming\Microsoft\Teams\Cache

Does anyone else have this same problem and what would be the correct solution in order to avoid these false positives.

Strangely enough it doesn’t create an alert on the users machine only on the file server.

Cheers

[Kavuser10]

Seems to be quite common. We see this also from time to time. When profile is uploaded to server the endpoint will get blocked by Anti-Cryptor. Haven’t found a good way to deal with it yet so that overall security is not lowered, so we have just put up with it. Anti-Cryptor false positives are annoying though.

We currently have KES 11 on endpoints and Kaspersky For File Servers on servers.