[Bug] Suspicious Remote Process Suspend Activity #42
Comments
FideliusFalcon
added
behavior
|
@FideliusFalcon thank you for reporting this, we are already aware of this false positive (and others related to 3rd party crash handlers that causes the remote suspension of a thread or process in order to handle the crash). we have planned updates next week (Sep 17 Tuesday), for now you can create an endpoint exception :
I will update this issue once updates are out. |
Samirbous
added
Tuning
|
@FideliusFalcon updates went out yesterday, excluding crashpad and similar by hash and by path dcb4263#diff-0caf8834d6aace920ee789e0ffab641280ca68b8e86e61df8e2fbe942e1cf417R82 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
We have started seeing false positives for this rule, by crashpad_handler.exe where target.process.entity_id is the same as process.entity_id - We experience this from different software, on different hosts. I don't know why we suddenly started seeing these, nor do I know if this is normal behavior of crashpad_handler.exe
I have attached the alert.json output of one of the alerts
Desktop (please complete the following information):
The text was updated successfully, but these errors were encountered: