Having issues with Syncro being marked as Ransomware:
Threat Info:
Path: \Device\HarddiskVolume3\Program Files\RepairTech\Syncro\Syncro.Service.Runner.exe.bak
Command Line Arguments: “C:\Program Files\RepairTech\Syncro\Syncro.Service.Runner.exe”
Process User: NT AUTHORITY\SYSTEM
Signature Verification: NotSigned
Originating Process: services.exe
SHA1: eb342ac9f2214424c7aafe63aabb56608932367c
Initiated By: Agent Policy
Engine: Behavioral AI
Detection type: Dynamic
Classification: Ransomware
File Size: 36.64 KB
Storyline: F9C4C6C0DFC146BE
Threat Id: 1743781101259706758
We have exception policy for Syncro signed files, but this looks like it’s not signed - how is that possible?
Any suggestions on how to proceed?
Looking at the Threat Info you shared, the file path appears to be altered and not what we’d expect at that directory for the Syncro app:
\Device\HarddiskVolume3\Program Files\RepairTech\Syncro\Syncro.Service.Runner.exe.bak
Specifically, that ‘.bak’ file extension is not an extension we’d expect to see for our Syncro.Service.Runner.exe
Is there a backup service running on this system? If so, this is likely a backup file of our service runner that appears to be stored in such a way where the digital signature is not preserved.
I ran a scan of of the Syncro.Service.Runner.exe on my end and I’m seeing that it’s returning undetected for SentinelOne currently, so it appears the issue is isolated to this specific backup file you were alerted on.