cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

SentinelOne just flagged screenshot-cmd.exe as a Trojan on ALL of my endpoints.

Highlighted
Conversationalist

SentinelOne just flagged screenshot-cmd.exe as a Trojan on ALL of my endpoints.

We've been using SM and SentinelOne together for a while and today was the first time this has happened.

 

VirusTotal seems to indicate that something there is suspicious: https://www.virustotal.com/gui/file/9dd768dda78afcf739ea591a7caf85b6ea9b12f5/detection

 

I have killed, quarantined, and blacklisted the file for the time-being since it is not a feature we use, and I cannot be sure whether the file has or has not been compromised by an outside actor.

 

Anyone at Cisco able to elaborate on this?

11 REPLIES 11
Kind of a big deal

Re: SentinelOne just flagged screenshot-cmd.exe as a Trojan on ALL of my endpoints.

Hmm I'm getting a different SHA1 for it:

aa8b0a5bf46d075c2f85bd54addc1a7af34fd240

 

So I wonder if yours got tampered with.

Highlighted
Conversationalist

Re: SentinelOne just flagged screenshot-cmd.exe as a Trojan on ALL of my endpoints.

@BrechtSchamp Can you run the m_agent_upgrade.msi and see if the hash changes on the file 

screenshot-cmd.exe?  


My hash is d013700ee02f7461d2e669d84164f97f6e27b032ae60d4b6b1d03c71d558dc8f and it is also alerting as a virus (Trojan Bobik) by Carbon Black.

 

 

Highlighted
Kind of a big deal

Re: SentinelOne just flagged screenshot-cmd.exe as a Trojan on ALL of my endpoints.

For me that's not a .msi file. It's a .exe. I tried running it but it fails. "screenshot-cmd.exe" hash unchanged after the failed run.

Highlighted
Conversationalist

Re: SentinelOne just flagged screenshot-cmd.exe as a Trojan on ALL of my endpoints.

My Meraki updates the file MerakiPCCAgent.msi on the windows clients, then once the file runs it launches m_agent_upgrade.msi which in turn upgraded or installed a different version of 

screenshot-cmd.exe which is when it gets flagged as Trojan Bobik.

 

 

Highlighted
Kind of a big deal

Re: SentinelOne just flagged screenshot-cmd.exe as a Trojan on ALL of my endpoints.

Seems like the behavior here is different then. Perhaps support can help out? Maybe your shard is already running a different version of Systems Manager. I'm on shard n248...

Highlighted
Conversationalist

Re: SentinelOne just flagged screenshot-cmd.exe as a Trojan on ALL of my endpoints.

Thanks, will update this page if I find anything out

 

Highlighted
New here

Re: SentinelOne just flagged screenshot-cmd.exe as a Trojan on ALL of my endpoints.

Any updates on this? We too are seeing it flagged.

Highlighted
Conversationalist

Re: SentinelOne just flagged screenshot-cmd.exe as a Trojan on ALL of my endpoints.

I haven't been able to find out anything else thus far. I have blacklist the screenshot-cmd.exe until I do. The blacklisting of the file hasn't really affected our ability to manage our endpoints via the MDM.

 

Highlighted
Kind of a big deal

Re: SentinelOne just flagged screenshot-cmd.exe as a Trojan on ALL of my endpoints.

It's probably just used for this feature:

BrechtSchamp_0-1592318964461.png

 

Highlighted
Conversationalist

Re: SentinelOne just flagged screenshot-cmd.exe as a Trojan on ALL of my endpoints.

We have the same issue. Using Carbon Black. We deleted the file screenshot-cmd.exe located in PCC Agent 3.0.2. We contacted Meraki support and they are aware of this issue.

 

We have discovered that the file works without any issues when processing a screenshot req if we copy an old version of screenshot-cmd.exe to the  PCC Agent 3.0.2 folder. I hope this info helps. 

 

 

Highlighted
Kind of a big deal

Re: SentinelOne just flagged screenshot-cmd.exe as a Trojan on ALL of my endpoints.

That's the "beauty" of modern, machine learning Anti-Malware solutions. They're simply reacting to some kind of possible "abnormal" behaviour that processes present. Delivering pictures - especially in the background to some kind of external systems is phishy at last...depending on how you're looking at it.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels