Repeated kill notifications for mitigated, resolved item on exclusion list
I got an alert around 4:00 AM this morning about an active threat on one of our endpoints which S1 killed successfully. After investigation, the threat turned out to be a false positive, so I marked it as such (False Positive/Benign in Singularity). I also added the hashes to our exclusion list because it's a software auto-updater we need to run on our endpoints.
Since then, I've gotten 40 notifications about the process being successfully killed. The auto-updater process S1 flagged has now successfully run on this endpoint, so I'm not sure what's happening here. Is it still actively trying to kill the process when it runs even though I've marked it false/benign/resolved/excluded or is this just a weird glitch? In the alert details, the Mitigation tab shows "KILL 40/40 SUCCESS, 40 out of 40 actions completed successfully in under 46491479ms"