Process name collision for Cisco Secure Endpoint (Formerly Cisco AMP)

[logdumpster]

The Cisco Secure Endpoint agent runs as sfc.exe, which is also the process name of the windows filesystem checker. I'm not sure if this would cause issues but it would at least cause the program to incorrectly identify the host as running Cisco Secure Endpoint.

Default path: C:\Program Files\Cisco\AMP\X.X.X\sfc.exe (X.X.X denotes the version number)

[logdumpster]

Can either add a second check for the path or just ignore this as it probably doesn't matter that much

[netero1010]

Thank you for bringing this to my attention. I will initially leave this issue open, as the auto-blocking feature is designed to check only actively running processes. It appears that C:\Windows\System32\sfc.exe is not commonly used as a long-term running process.

However, I do recognize the possibility of a process name collision. Should I receive more reports of similar cases, I will consider updating the code to include the additional checks (e.g., check full path for key words or check if the process is antimalware protected process light).