< ciso
brief />
Tag Banner

All news with #endpoint security tag

76 articles

AI coding agents trigger endpoint behavioral detections

🛡️ Sophos analyzed a week of June 2026 telemetry and found AI coding agents like Claude Code, Cursor, and OpenAI Codex frequently trigger behavioral detection rules designed to catch human attackers. The agents perform actions—decrypting browser credentials, enumerating Windows Credential Manager, downloading files via LOLBins, and writing startup scripts—that look like malicious behavior to endpoint engines. While often benign developer automation, these behaviors overlap precisely with attacker techniques and can generate false positives. Sophos recommends scoping rules to agent parents, workspaces, and download reputations while keeping credential access tightly controlled.
read more →

Turner Industries’ secure cloud-first infrastructure

🔒 Turner Industries migrated to ChromeOS, Google Workspace, Chrome Enterprise Premium, and Cameyo to reduce costs and improve security. The shift extended device lifecycles, cut per-device costs by 40–50%, and saved an estimated $700,000 on new hardware plus $600,000 by converting existing devices with ChromeOS Flex. Faster deployments and simplified management freed IT to focus on strategic work while maintaining strong endpoint protection and legacy app access.
read more →

Microsoft named Leader in Forrester Wave 2026

🔒 Microsoft is recognized as a Leader in The Forrester Wave™: Endpoint Management Platforms, Q2 2026, reflecting Intune’s role in connecting identity, security, compliance, and AI governance across endpoints. The report highlights Intune’s cross-platform management, AI-powered Endpoint Privilege Management, and integrated Security Copilot features that enable faster remediation and device onboarding. Forrester also cited Microsoft’s partner strategy and licensing value as factors supporting enterprise adoption.
read more →

macOS XPC Flaw Lets Non‑Root Users Disable EDR/MDM

🔒 A disclosed macOS privilege escalation allows a non-root user to abuse XPC trusted caller caching to invoke privileged helper functions without authentication, impacting multiple EDR and MDM products. XM Cyber found attackers can tamper with a legitimate app to inherit its cached trust and call sensitive methods to unload or disable security agents with minimal forensic traces. Vendors including CrowdStrike and Kandji have issued fixes and mitigations, while XM Cyber released a scanner and will present findings at Black Hat.
read more →

New macOS Biome App.MenuItem Artifact Discovered

🔎 This report details the discovery of a new macOS Tahoe 26 Biome stream, App.MenuItem, which records specific menu selections made by users across the OS. It explains the artifact's location at ~/Library/Biome/streams/restricted/App.MenuItem/local, the SEGB-encapsulated protobuf format, and recommended processing steps using ccl-segb. The article highlights how the stream reconstructs user intent and workflow, and notes limitations when menu text is non-descriptive.
read more →

How to disable AI features across major platforms

🛡️ This article provides practical, step-by-step tactics for detecting and disabling built-in AI features in popular enterprise platforms including Microsoft Copilot, Google Gemini, Chrome, and Apple Intelligence. It covers detection via logs and admin consoles, recommended policy settings in Microsoft 365, Group Policy, Chrome Enterprise, Google Workspace, and MDM profiles for Apple, plus network-level blocks and caveats about potential feature breakage. The guidance emphasizes granular controls, SKU management, and layered protections such as NGFW/web-filter rules and application control.
read more →

Microsoft named Leader in 2026 Endpoint Protection

🛡️ For the seventh consecutive time, Microsoft has been named a Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection, reflecting customer trust in Microsoft Defender. Defender provides industry-leading EDR backed by global threat intelligence and connects endpoints, identities, email, apps, cloud, and data to enable earlier detection and stronger prevention. Recent advancements include proactive attack disruption, custom telemetry, simplified onboarding, sovereign-ready protection, and agentic endpoint security for local AI agents.
read more →

CypherLoc scareware locks browsers, targets users globally

🔒 Security researchers warn of a new scareware strain, CypherLoc, used in around 2.8 million attacks since early 2026. The campaign starts with phishing that directs victims to a malicious page which only activates when specific URL fragments and cryptographic checks pass. Once triggered, the code forces full-screen browser lockdowns, disables controls, displays fake security warnings and a fraudulent support number, with operators posing as Microsoft support. Barracuda urges anti-phishing, browser and endpoint protections and user education to mitigate the threat.
read more →

25M Alert Analysis: Low-Severity Leads to Missed Breaches

🔍 In a sweeping analysis of 25 million enterprise security alerts, researchers found that nearly 1% of confirmed incidents began as low‑severity or informational alerts, rising to about 2% on endpoints. The dataset included 10 million monitored endpoints, 82,000 forensic endpoint investigations with live memory scans, and 180 million files analyzed. The report shows EDR remediation frequently reports systems as 'mitigated' even when memory forensics reveal active malware, and it documents evolving phishing and cloud persistence tactics that evade legacy triage models.
read more →

Microsoft Agent 365 Now GA: Expanded Agent Controls

🔒 Microsoft announces Agent 365 is generally available, offering a unified control plane to observe, govern, and secure AI agents across endpoints, cloud, and SaaS. The release adds discovery of local and cloud agents (including OpenClaw, GitHub Copilot CLI, and Claude Code) and integrates with Intune and Defender for inventory, policy controls, runtime blocking, and alerting. Agent 365 also introduces Windows 365 for Agents, partner integrations, and licensing via Microsoft 365 E7 or standalone at USD 15 per user per month.
read more →

Microsoft lets admins pick preinstalled Store apps to remove

🛠️ Microsoft expanded its in-box app removal policy for Windows 11 to add a dynamic list that allows IT admins to specify which preinstalled Microsoft Store apps to uninstall by Package Family Name (PFN). The RemoveDefaultMicrosoftStorePackages policy can be applied via Group Policy or a custom OMA-URI for MDM and requires the April 2026 non-security update (Insiders can get it with the March 13, 2026 Dev/Beta builds). Intune support for the dynamic list will arrive in the coming months.
read more →

One in Four Healthcare Organizations Hit by Device Attacks

🏥 A new RunSafe Security index found that 24% of healthcare organizations experienced cyber-attacks affecting medical devices in the past year, with 80% of those incidents causing moderate or significant patient impact, from delayed imaging to interruptions in critical care. The survey of 551 professionals across the US, UK and Germany shows growing integration of security into procurement—82% deploying runtime exploit protection and 84% including cyber requirements in vendor RFPs—yet legacy devices remain a major exposure.
read more →

Endpoint Detection and Response: A Practical Buyer's Guide

🔒 This buyer's guide explains what Endpoint Detection and Response (EDR) is, which core capabilities to expect, and which vendors and solutions are recommended. It highlights EDR features such as real-time behavioral telemetry, deep investigation tools, centralized analytics, and integrations with SIEM, SOAR, firewalls and other security controls. Vendor profiles include CrowdStrike, Microsoft, Palo Alto, SentinelOne, Sophos and Trend Micro, and four practical questions to ask vendors before purchasing are provided.
read more →

Microsoft Trials File Explorer Speed and Performance Boosts

⚡Microsoft is rolling out a set of File Explorer enhancements to Windows 11 Insiders that aim to improve launch speed and overall performance. While implementation details are limited, the company earlier tested optional background preloading to accelerate startup times and offers a toggle to disable that behavior. The update also improves reliability around stopping explorer.exe after closing windows and expands fixes for bright white flashes in dark mode. A new full-screen Xbox mode is available as well; changes are arriving for Release Preview Insiders on Builds 26100.8313 and 26200.8313 (KB5083631).
read more →

Signed Adware Used to Deploy Antivirus-Killing Scripts

🔒 Huntress researchers uncovered a digitally signed adware campaign that deployed SYSTEM‑privilege payloads to disable antivirus protections on thousands of endpoints. The binaries, signed by Dragon Boss Solutions LLC and bundled in browser-like PUPs such as Chromstera and WorldWideWeb, used an Advanced Installer MSI to drop a PowerShell script, ClockRemoval.ps1, which stops services, uninstalls AVs, edits the hosts file and persists via WMI and scheduled tasks. After registering the operator’s unclaimed update domain, Huntress sinkholed infrastructure and observed over 23,500 infected hosts checking in across 124 countries, including hundreds in high-value networks. Administrators are urged to search for specific WMI subscriptions, scheduled tasks, blocked vendor domains in hosts, and processes signed by the publisher.
read more →

Signed Adware Operation Disables Antivirus on 23,000 Hosts

⚠️ Huntress has identified a signed adware operation linked to Dragon Boss Solutions LLC that has disabled antivirus products on approximately 23,565 endpoints worldwide. The campaign leverages a legitimate code‑signing certificate and an MSI update mechanism to deploy a PowerShell payload, ClockRemoval.ps1, which systematically kills, uninstalls and blocks reinstallation of AVs. Targets include Malwarebytes, Kaspersky, McAfee and ESET, and persistence is maintained via scheduled tasks and WMI event subscriptions. Researchers sinkholed an unregistered update domain and observed infections across 124 countries, including universities, utilities and government networks.
read more →

Surge in Brute-Force Attacks Targeting VPN Devices

🔒 Security researchers have observed a sharp rise in brute-force attempts aimed at edge devices, notably SonicWall and Fortinet appliances, with 88% of observed traffic traced to the Middle East. Barracuda reports most attempts failed, often blocked or directed at invalid usernames. The activity peaked between February and March and accounted for 56% of confirmed incidents targeting perimeter devices. Analysts warn these probes increase the risk posed by weak credentials or misconfigurations and urge stronger controls.
read more →

Amazon WorkSpaces Advisor: AI Troubleshooting for VDI

🔍 Amazon WorkSpaces Advisor is an AI-powered troubleshooting assistant for Amazon WorkSpaces Personal. It analyzes WorkSpace configurations, identifies problems, and provides actionable recommendations to restore service and optimize performance. Administrators can use its generative AI insights to streamline investigations, reduce downtime, and proactively maintain virtual desktop infrastructure. The feature is now available in all AWS commercial regions via the WorkSpaces console.
read more →

Hardening Security Consoles: Kaspersky's Linux 16.1

🔒 Kaspersky highlights that security management consoles themselves expand an organization’s attack surface and therefore must be hardened. Kaspersky Security Center Linux 16.1 adopts a secure-by-default model by enabling two-factor authentication for all console access and removing the global option to disable it. Administrators are required to ensure 2FA is configured for users who access the Web Console or use OpenAPI automation before upgrading. Kaspersky also publishes a structured hardening checklist to audit roles and privileges, restrict network access, strengthen encryption, protect APIs, and ensure comprehensive logging and auditing.
read more →

Five Critical Steps to Strengthen Endpoint Security

🔒 Business resilience begins at the endpoint. Drawing on N-able SOC data, the article highlights that over 900,000 alerts were processed between March and December 2025 and that 18% originated from network and perimeter exploits—threats many endpoint-only tools missed. It prescribes continuous asset visibility, standardized secure configurations, automated patching and remediation, EDR for behavioral detection and response, and integrated backup and recovery to minimize downtime.
read more →