Reviewed the S1 alert Advance IP scanner is a known tool used by our technicians. Checked the timeline on this machine from the date 5/11 and confirmed one of our technicians was on the machine around this time. Marking as a false positive. No further action is required. Closing ticket.
Reviewed the S1 alert Advance IP scanner is a known tool used by our technicians. Checked the timeline on this machine from the date 5/11 and confirmed one of our technicians was on the machine around this time. Marking as a false positive. No further action is required. Closing ticket.
A suspicious, potentially harmful software item was detected and automatically blocked on an endpoint used by user 'LYNDONPC2\Jennifer' (desktop). The alert is rated high severity due to the software exhibiting obfuscation signs that can evade defenses, posing a risk to data and operations. Mitigation actions were successful and the item has been contained. Business impact risk remains moderate while devices and accounts are monitored.
SOC Response Actions Actions the SOC performed (or attempted). Follow this link for further information on Use Case #5 and Use Case #6. ActionStatus
--- --- LyndonPC2, no full disk scan command was sent. Not Configured LyndonPC2, endpoint was not isolated from the network. Not Configured
Recommended Remediation
[Containment] Isolate host LyndonPC2 (agent UUID 3fc7171f26bd4a859de1e8bf71dfcc32) from network and remove VPN/Wi‑Fi access until remediation is complete.
[Eradication] Remove and securely delete file '\Device\HarddiskVolume3\Users\Jennifer\Downloads\Advanced_IP_Scanner_2.5.3850.exe' and any copies found on the endpoint.
[Eradication] Perform credential actions for user 'LYNDONPC2\Jennifer': force immediate password reset and revoke active sessions and cached credentials.
[Hardening] Validate code signing trust and block publisher 'FAMATECH CORP.' in enterprise application allowlist/denylist if not required by business.
[Hardening] Deploy endpoint IOA/YARA rules or sensor-based prevention to block file hash 87bfb05057f215659cc801750118900145f8a22fa93ac4c6e1bfd81aa98b0a55 and file path patterns for Advanced_IP_Scanner installers.
87bfb050...a98b0a55 Malicious File hash detected by 4 security engines. Classified under the meaningful name Advanced_IP_Scanner_2.5.3850.exe. Hybrid-Analysis
87bfb050...a98b0a55 Not Malicious No malicious engines were detected when the file hash was scanned against known threat indicators. Indicators of Compromise
The threat indicators suggest that a suspicious process has been detected, which appears to be packed, meaning it has been compressed to hide its true content. This technique is often used by malicious software to evade detection and analysis. The detection by the Static Engine indicates that security measures have identified this unusual behavior, raising concerns about potential malicious activity. It is important to investigate this further to ensure the safety and integrity of the system.
