this events are getting triggered by the rule ID 333. This issue started after the amcore release of 4134 and should be fixed in the coming releases.
In order to mitigate the issue for now , disable the 333 rule id from server settings- -Log on to the ePO console.
-Go to Menu, Configuration, Server Settings.
-Select Adaptive Threat Protection, and select the wanted Security Posture (Productivity, Balanced, or Security).
-Select the checkbox for the Rule ID.
-From the Actions drop-down list, select the wanted option (Enabled, Disabled, or Observe).
This is workaround only.
We need to work with our labs and see if this is a Real protect threat or why real protect blocks this. Or if this is a False positive issue.
We will keep you updated accordingly.
we currently use "Balanced" setting and rule ID 333 is in "Observe" mode by default.
Does that make a difference?
I am worried about disabling the rule entirely and not knowing potential threats are occurring.. I get less than a handful of these in a day. Many I investigated seem to be machines that were being reimaged.
.. but at the same time, I do not know if this alert is blocking anything important from succeeding??
I did some internal Testing in our test environments and Possible factors that caused is due to Credential Theft Protection enabled in Adaptive Threat protection policy. Feature included from April update.
Kindly refer to the screenshot.
Kindly disable this feature or monitor with observe mode enabled and see if this helps.
This is a short workaround only.
For detailed investigation, we suggest our customers to open an SR and provide us with debug logs enabled for ATP and we can investigate further.
Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
We're using ENS ATP 10.7. I've started seeing the same thing from a 3 systems in the last few days. The Analyzer method is stated as Real Protect but there is no file path/process highlighted. Other than the detection, there is no info as to why it occurred?
Detection is as below (identifiers removed)
Events received from managed systems
Adaptive Threat Protection Events