Knowledge Base

Yes

Environment

PSC Console: December 19' Release

Symptoms

When selecting the December 2nd 2019 TAU-TIN Death Ransomware threat query link from the main console page too many process_name:WMIC results are returned that do not match the correct process_cmdline:shadowcopy OR process_cmdline:delete

Cause

The linked search query has missing parenthesis that cause the required process_cmdlines to not be evaluated correctly

Resolution

While we work to fix this in the console a workaround is available by using the search below:

(((process_cmdline:vssadmin.exe OR process_cmdline:vssadmin) AND (process_cmdline:shadows process_cmdline:delete process_cmdline:\/quiet)) OR ((process_cmdline:wmic OR process_cmdline:wmic.exe) AND (process_cmdline:shadowcopy OR process_cmdline:delete)))

Knowledge Base

PSC Console: TAU-TIN Death Ransomware Query Incorrect Results

PSC Console: TAU-TIN Death Ransomware Query Incorrect Results

Environment

Symptoms

Cause

Resolution

Related Content

Audit and Remediation

Carbon Black Cloud

Endpoint Standard

Enterprise EDR

Managed Detection

Knowledge Base

PSC Console: TAU-TIN Death Ransomware Query Incorrect Results

PSC Console: TAU-TIN Death Ransomware Query Incorrect Results

Environment

Symptoms

Cause

Resolution

Related Content

Audit and Remediation

Carbon Black Cloud

Endpoint Standard

Enterprise EDR

Managed Detection

Thank you for your feedback.

Thank you for your feedback.