Showing results for 
Search instead for 
Did you mean: 

Detecting False Positives in Threat Events


I'm currently experiencing a high number of threat events on various client computers.

Alot of these threats are suposedly trying to terminate the McAfee process, but due to the sheer number of threats, it seems unlikely they are all legitimate.

I'm wondering if there is an easy way to detect whether a threat is legitimate or not before checking a clients computer and potentially wasting their and my time.

Any help is appreciated.

1 Reply
Level 14
Report Inappropriate Content
Message 2 of 2

Re: Detecting False Positives in Threat Events


I'd consider the following practice useful (although not an easy one): create a query which is in a multiple level table format and filter it according to the desired Access Protection rule. When running the query, you'll have all the processes for which the rule has triggered (and possibly you can see how many times. The number of times is also a suspicion factor depending on the query interval).

Now it needs some human intelligence and investigation, but roughly you could see which processes are most suspicious and which are likely not.

I would consider such suspicious process to be like svchost.exe, lsass.exe, etc., all that are Windows system processes or even other processes that, as shown, reside in a very unusual folder (like Temp folder, user's folder, etc.). Other processes that are seemingly belonging to other well known or unknown applications, might be investigated. Some other applications like management clients might be considered to be excluded from the rule (after testing whether they are really want to terminate).

You did not specify it, but I assume the rule itself notifies and blocks at the same time.


Message was edited by: apoling on 18/04/13 12:25:50 CEST
More McAfee Tools to Help You

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community