logdumpster
commented
10 months ago Can either add a second check for the path or just ignore this as it probably doesn't matter that much
Closed logdumpster closed 10 months ago
logdumpster
commented
10 months ago Can either add a second check for the path or just ignore this as it probably doesn't matter that much
netero1010
commented
10 months ago Thank you for bringing this to my attention. I will initially leave this issue open, as the auto-blocking feature is designed to check only actively running processes. It appears that C:\Windows\System32\sfc.exe is not commonly used as a long-term running process.
However, I do recognize the possibility of a process name collision. Should I receive more reports of similar cases, I will consider updating the code to include the additional checks (e.g., check full path for key words or check if the process is antimalware protected process light).
The Cisco Secure Endpoint agent runs as
sfc.exe, which is also the process name of the windows filesystem checker. I'm not sure if this would cause issues but it would at least cause the program to incorrectly identify the host as running Cisco Secure Endpoint.Default path:
C:\Program Files\Cisco\AMP\X.X.X\sfc.exe(X.X.X denotes the version number)