SentinelOne just flagged screenshot-cmd.exe as a Trojan on ALL of my endpoints.

SKatMTA
Conversationalist

SentinelOne just flagged screenshot-cmd.exe as a Trojan on ALL of my endpoints.

We've been using SM and SentinelOne together for a while and today was the first time this has happened.

 

VirusTotal seems to indicate that something there is suspicious: https://www.virustotal.com/gui/file/9dd768dda78afcf739ea591a7caf85b6ea9b12f5/detection

 

I have killed, quarantined, and blacklisted the file for the time-being since it is not a feature we use, and I cannot be sure whether the file has or has not been compromised by an outside actor.

 

Anyone at Cisco able to elaborate on this?

11 REPLIES 11
BrechtSchamp
Kind of a big deal

Hmm I'm getting a different SHA1 for it:

aa8b0a5bf46d075c2f85bd54addc1a7af34fd240

 

So I wonder if yours got tampered with.

@BrechtSchamp Can you run the m_agent_upgrade.msi and see if the hash changes on the file 

screenshot-cmd.exe?  


My hash is d013700ee02f7461d2e669d84164f97f6e27b032ae60d4b6b1d03c71d558dc8f and it is also alerting as a virus (Trojan Bobik) by Carbon Black.

 

 

For me that's not a .msi file. It's a .exe. I tried running it but it fails. "screenshot-cmd.exe" hash unchanged after the failed run.

My Meraki updates the file MerakiPCCAgent.msi on the windows clients, then once the file runs it launches m_agent_upgrade.msi which in turn upgraded or installed a different version of 

screenshot-cmd.exe which is when it gets flagged as Trojan Bobik.

 

 

Seems like the behavior here is different then. Perhaps support can help out? Maybe your shard is already running a different version of Systems Manager. I'm on shard n248...

Thanks, will update this page if I find anything out

 

Any updates on this? We too are seeing it flagged.

RickKidder
Conversationalist

I haven't been able to find out anything else thus far. I have blacklist the screenshot-cmd.exe until I do. The blacklisting of the file hasn't really affected our ability to manage our endpoints via the MDM.

 

It's probably just used for this feature:

BrechtSchamp_0-1592318964461.png

 

We have the same issue. Using Carbon Black. We deleted the file screenshot-cmd.exe located in PCC Agent 3.0.2. We contacted Meraki support and they are aware of this issue.

 

We have discovered that the file works without any issues when processing a screenshot req if we copy an old version of screenshot-cmd.exe to the  PCC Agent 3.0.2 folder. I hope this info helps. 

 

 

CptnCrnch
Kind of a big deal
Kind of a big deal

That's the "beauty" of modern, machine learning Anti-Malware solutions. They're simply reacting to some kind of possible "abnormal" behaviour that processes present. Delivering pictures - especially in the background to some kind of external systems is phishy at last...depending on how you're looking at it.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels