2 Posts
4
1781
"dsapi.exe" and "BDBICExtractor.exe" causing security alerts across multiple tools
Hi all,
I'm a security analyst and over the last 24 hours we have received multiple high security alerts for both the files: "dsapi.exe" and "BDBICExtractor.exe", across platforms such as SentinelOne, Carbon Black and Cisco AMP.
After some analysis on the file hashes and their behaviors, the activity does not appear to be anything obviously malicious, however the latter file (BDBICExtractor) was flagged numerous times in VirusTotal, with the community page also signifying concerns. See https://www.virustotal.com/gui/file/62a8ef2ab3af3d1ed3b5db9a90df839299c6ab7effbce2fc88cc5430bc4d744d/community
Understandably the threat intelligence these products share is public and possibly a big false positive, but just wanted to bring it to Dell's, and other user's, attention just in case.
If anyone has any insight on this, your help would be greatly appreciated.
cyberjonny
2 Posts
3
April 26th, 2021 07:00
It appears it was due to incorrect file attributes.
<ADMIN NOTE: Broken link has been removed from this post by Dell>
MikeBRCA
2 Posts
2
April 23rd, 2021 08:00
As a SentinelOne user, we've noticed the propagation of this file throughout our network (all Dells). While comforted some by the chatter that it is benign and the fact that only a handful of endpoint protection vendors are picking this up, it seems odd that it has incrementally alerted for each instance since around 13:30 on 4/22/21 (almost like a spread). If this is a Dell foul-up in signatures/distribution, a formal notification would ease the minds of many admins right about now.
MikeBRCA
2 Posts
0
April 26th, 2021 08:00
Whew! Thanks for acknowledging the mishap Dell.
<ADMIN NOTE: Broken link has been removed from this post by Dell>