Enterprise Standard: Ransomware Alerts with svchost

search cancel

Enterprise Standard: Ransomware Alerts with svchost

book

Article ID: 291444

calendar_today

Updated On: 04-27-2023

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

The following alerts or events reporting "ProfSvc attempted to modify a User Document" are generated in the Web Console.

Example:

The application c:\windows\system32\svchost.exe -k netsvcs -p -s ProfSvc attempted to modify a User Document <extension> in the <path> directory. 
The operation was blocked and the application terminated by Cb Defense.

Where <path> is windows folder path, and <extension> is a file extension ( for example a .xls, .ppt, or .jpg extension)

Environment

Enterprise Standard (Cb Defense) Sensor: 3.1.x and above
Carbon Black Cloud Web Console: All Versions
Microsoft Windows: All Supported Versions

Cause

These events can appear when svchost attempts to modify a file or extension protected by an Enterprise Standard Prevention/Blocking and Isolation policy.

Resolution

After confirming the behavior observed isn't malicious by reviewing the events in the investigations page, select the alerts in the console, click the Dismiss button and check the option to automatically dismiss it from all devices

Additional Information

Feedback

thumb_up Yes

thumb_down No