Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
74
Views
0
Helpful
0
Replies

How to investigate high number of alerts for browser cache files

PleaseHelpMe
Level 1
Level 1

‎04-26-2024 04:04 AM

Hi, 

The File Detection category generates a lot of alerts on browser cache with signatures like these:

GT:JS.Hyena.x
GT:JS.Injected.x
Trojan.Generic.x
Trojan.GenericKD.x
Auto.x.in02
W32.x.in12.Talos

Most of the time these files are unique so they won't be on VirusTotal.

Submitting to Cisco's cloud sandbox won't do anything because they don't have any extensions to run with a default program, it's browser AppData. 

The files are in proprietary formats specific to the browser and require forensics tools to parse. Even then these generic signature names don't tell us what it is about the file that is triggering the alert.

Does anyone have reasonable a way to do root cause analysis without going to Cisco TAC? 

Is there a way to see the logic behind these signatures? Or do we know how they work at a higher level, is it looking at strings or binary patterns? 

 

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents