We've been using SM and SentinelOne together for a while and today was the first time this has happened.
VirusTotal seems to indicate that something there is suspicious: https://www.virustotal.com/gui/file/9dd768dda78afcf739ea591a7caf85b6ea9b12f5/detection
I have killed, quarantined, and blacklisted the file for the time-being since it is not a feature we use, and I cannot be sure whether the file has or has not been compromised by an outside actor.
Anyone at Cisco able to elaborate on this?
Hmm I'm getting a different SHA1 for it:
aa8b0a5bf46d075c2f85bd54addc1a7af34fd240
So I wonder if yours got tampered with.
@BrechtSchamp Can you run the m_agent_upgrade.msi and see if the hash changes on the file
screenshot-cmd.exe?
My hash is d013700ee02f7461d2e669d84164f97f6e27b032ae60d4b6b1d03c71d558dc8f and it is also alerting as a virus (Trojan Bobik) by Carbon Black.
For me that's not a .msi file. It's a .exe. I tried running it but it fails. "screenshot-cmd.exe" hash unchanged after the failed run.
My Meraki updates the file MerakiPCCAgent.msi on the windows clients, then once the file runs it launches m_agent_upgrade.msi which in turn upgraded or installed a different version of
screenshot-cmd.exe which is when it gets flagged as Trojan Bobik.
Seems like the behavior here is different then. Perhaps support can help out? Maybe your shard is already running a different version of Systems Manager. I'm on shard n248...
Thanks, will update this page if I find anything out
Any updates on this? We too are seeing it flagged.
I haven't been able to find out anything else thus far. I have blacklist the screenshot-cmd.exe until I do. The blacklisting of the file hasn't really affected our ability to manage our endpoints via the MDM.
It's probably just used for this feature:
We have the same issue. Using Carbon Black. We deleted the file screenshot-cmd.exe located in PCC Agent 3.0.2. We contacted Meraki support and they are aware of this issue.
We have discovered that the file works without any issues when processing a screenshot req if we copy an old version of screenshot-cmd.exe to the PCC Agent 3.0.2 folder. I hope this info helps.
That's the "beauty" of modern, machine learning Anti-Malware solutions. They're simply reacting to some kind of possible "abnormal" behaviour that processes present. Delivering pictures - especially in the background to some kind of external systems is phishy at last...depending on how you're looking at it.