Insight IDR Alert: True or False Positive?

Hello,

Our system just got the following alerts:
resim

When we searched the hash on Virustotal, we got the information that this hash belongs to the original svchost.exe :
resim

Could you enlighten us about this alert and how and where the intelligence about the file was obtained? We really panicked.

Hi Yener,

This alert is from a community threat. So it’s not from a built-in IDR alert.

These threats are most of the time built by other companies and offered as a opt-in detection.
So in this case someone opted into this ‘Ransomware/Malware/others-Ez’ threatfeed that had this svchost.exe hash in it’s detection.

These detections are not enabled by default, you can find your currently subscribed feeds within Detection Rules > Community Threats
You also have a button Threat Community to view threat feeds from other companies.
If I look at the description of the ‘Ransomware/Malware/others-Ez’ threatfeed I don’t see any information on how this intelligence was obtained, other than that it’s gathered through an API.

I do see that the owner of this feed added this svchost.exe host on Apr 19, 2022 6:00:17 PM through the audit history. But I don’t see any clues in the description on how to contact the owner of this threat feed.

1 Like

Seems that the owner has removed this svchost hash
image

2 Likes

Thank you very much for your information sharing and support Ilyaaz. I guess you have to be selective in community feeds :slight_smile:

1 Like