1 2 Previous Next 10 Replies Latest reply on Sep 29, 2017 3:50 PM by virken

    RealProtect: high false positive rate

    wyrm

      I am seeing a very high false positive rate using RealProtect in ENS 10.5.x.  In the past 3 months, I've received 46 Real Protect Cloud detections.  Of those detections, 36 were false positives.  In the previous months, it was worse.

       

      We use LANDesk to remotely deploy applications in our environment.  We'll use packers to bundle applications & patches (such was WinRAR or LANDesk package builder) and a lot of the .exe's we create get detected as "known malicious."  How can application packages with file hashes that McAfee has NEVER SEEN have a reputation of "Known Malicious."  I could understand "Might be Malicious" but not "known malicious." 

       

      In our cases, we'll create a self extracting executable that extracts our install packages, it'll run a script (typically a batch file), which runs the extracted files to perform an installation.

      So when LANDesk creates an .exe on the remote endpoint and executes it, it'll generally get flagged by RealProtect.

       

      We do not have TIE in our environment and there is no current way to create exceptions for RealProtect via policy (I put in a product enhancement request for RealProtect exceptions).  TIE is not an option for us (which includes Active Response in their new licensing tier) because we're about to implement a competing EDR product... plus, our account rep wanted to charge us $1M/year for TIE/MAR... never going to happen.

       

      I'm not sure what to do at this point.  Running GetClean for every application bundle our support staff creates is not an option.

       

      I wish ENS & RealProtect could determine if the application packages were coming from the Internet vs. local internal network and put less weight/heuristics on internal files-- or allow me to create trust rules for install packages originating from a specific network folder where we store our install packages.

       

      Does anyone else have frustrations with RealProtect & false positives?

        1 2 Previous Next