Having issues with Syncro being marked as Ransomware:
Path: \Device\HarddiskVolume3\Program Files\RepairTech\Syncro\Syncro.Service.Runner.exe.bak
Command Line Arguments: “C:\Program Files\RepairTech\Syncro\Syncro.Service.Runner.exe”
Process User: NT AUTHORITY\SYSTEM
Signature Verification: NotSigned
Originating Process: services.exe
Initiated By: Agent Policy
Engine: Behavioral AI
Detection type: Dynamic
File Size: 36.64 KB
Threat Id: 1743781101259706758
We have exception policy for Syncro signed files, but this looks like it’s not signed - how is that possible?
Any suggestions on how to proceed?
Looking at the Threat Info you shared, the file path appears to be altered and not what we’d expect at that directory for the Syncro app:
Specifically, that ‘.bak’ file extension is not an extension we’d expect to see for our Syncro.Service.Runner.exe
Is there a backup service running on this system? If so, this is likely a backup file of our service runner that appears to be stored in such a way where the digital signature is not preserved.
I ran a scan of of the Syncro.Service.Runner.exe on my end and I’m seeing that it’s returning undetected for SentinelOne currently, so it appears the issue is isolated to this specific backup file you were alerted on.