9 Replies Latest reply on Mar 23, 2011 2:03 AM by weak_pig

    How to deal with False Positives

      Hi all, I'm on ePO 4.5 and I'm trying to run a couple of Queries, namely :

       

      - Top 10 Users with Most Detections

      - Top 10 Computers with the Most Detections

      - Top 10 Threats per Threat Category

       

      Every report has ridiculously high number of False Positives (around 13000) vs a low amount of actual threats (around 166).

       

      This screws up my reporting as my superiors are questioning why there are so many false positives.

       

      Is there any way to set the ePO to report only the actual threats and leave out all the false positives?

        • 1. Re: How to deal with False Positives

          just some info to add, most of my client PC are on McAfee Agent 4.5 with VSE & Spyware 8.7. A handful of us are on VSE 8.8. All of us are updated with the latest DATs every day.

          • 2. Re: How to deal with False Positives
            JoeBidgood

            Forgive the question , but what makes you think they are false positives? Exactly what is being detected?

             

            Regards -

             

            Joe

            • 3. Re: How to deal with False Positives

              hi, here is an example of one of the event caught by McAfee but was labelled as "False" under Threat Handled.

               

              The file is a jar file, but there are other file ext variation as well.

               

              I have thousands of these, which McAfee labelled as "Scan Timed Out" or "Unable to scan password protected"

               

               

                Please wait... 

               

              Loading... 

                   

              Server: itsvcsmcafee | Time: 3/22/11 1:14:42 PM SGT | User: Administrator | Log Off     

              Menu DashboardsDashboardsSystem TreeQueriesPolicy CatalogServer Task Log   Threat Event Log Details Threat Event Log Information  

               

               

              Server ID: itsvcsmcafee

              Event Received Time (UTC): 1/24/11 2:45:54 AM

              Event Generated Time (UTC): 1/24/11 2:22:56 AM

              Agent GUID: 2453201C-8533-4EFC-836F-2E8550284A1D

              Detecting Prod ID (deprecated): VIRUSCAN8700

              Detecting Product Name: VirusScan Enterprise

              Detecting Product Version: 8.7

              Detecting Product Host Name: RAVI_LAMBAH

              Detecting Product IPv4 Address: 10.90.15.114

              Detecting Product IP Address: 0:0:0:0:0:ffff:a5a:f72

              Detecting Product MAC Address: 

              DAT Version: 6234.0000

              Engine Version: 5400.1158

              Threat Source Host Name: _

              Threat Source IPv4 Address: 10.90.15.114

              Threat Source IP Address: 0:0:0:0:0:ffff:a5a:f72

              Threat Source MAC Address: 

              Threat Source User Name: 

              Threat Source Process Name: 

              Threat Source URL: 

              Threat Target Host Name: RAVI_LAMBAH

              Threat Target IPv4 Address: 10.90.15.114

              Threat Target IP Address: 0:0:0:0:0:ffff:a5a:f72

              Threat Target MAC Address: 

              Threat Target User Name: STTC-SIN\ravi_lambah

              Threat Target Port Number: 

              Threat Target Network Protocol: 

              Threat Target Process Name: 

              Threat Target File Path: C:\IBMTOOLS\Updater\jre\lib\security.jar

              Event Category: Malware

              Event ID: 1059

              Threat Severity: Alert

              Threat Name: _

              Threat Type: Virus

              Action Taken: None

              Threat Handled: false

              Analyzer Detection Method: OAS

               

               

               

              Threat Event Descriptions  

               

               

              Event Description: Scan Timed Out

               

               

               

              Host IPS Event Information  

               

               

              This is not an IPS event.    

              Actions More Show Source SystemsShow Target Systems 

               

              • 4. Re: How to deal with False Positives
                rackroyd

                They will be saying 'threat handled = false' because they could not be scanned to completion and therefore have not been identified as clean. Their status to the scan is effectively unknown.

                This is either because of the scan timeout or password protection on the file at the time.

                 

                Perhaps you can consider removing event ID 1059 (scan timeout) and/or event ID 1051 (unable to scan password protected) out of the event filter so it is no longer sent by clients ?

                 

                These are not false positives, because scanning did not actually complete

                 

                Rgds,

                 

                Rob.

                • 5. Re: How to deal with False Positives

                  Hi Rackroyd. Ok i see. Could you advise the steps on removing event ID 1059 and ID 1051? How do I go about it?

                  • 6. Re: How to deal with False Positives

                    Another thing, because these events are registered in the past, as in, McAfee recorded these events for the past few weeks, thus my ePO has a high count of events since Jan to Mar.

                     

                    Is there any way, after turning off these event IDs, the past records will be removed? As I will be questioned if I submit my report with a high count of threat events.

                     

                    So would be a life saver for me if the past events can be 'adjusted' accordingly... ( though i doubt it... lol )

                    • 7. Re: How to deal with False Positives
                      JoeBidgood

                      weak_pig wrote:

                       

                      Hi Rackroyd. Ok i see. Could you advise the steps on removing event ID 1059 and ID 1051? How do I go about it?

                       

                      Please see KB 70252 for details on adjusting the event filter settings.

                       

                       

                      weak_pig wrote:

                       

                      Another thing, because these events are registered in the past, as in, McAfee recorded these events for the past few weeks, thus my ePO has a high count of events since Jan to Mar.

                       

                      Is there any way, after turning off these event IDs, the past records will be removed? As I will be questioned if I submit my report with a high count of threat events.

                       

                      So would be a life saver for me if the past events can be 'adjusted' accordingly... ( though i doubt it... lol )

                       

                      Easy

                      Create a threat query that returns event ids 1051 and 1059. Then run a Purge Threat Events server task, configured to "purge events by query" using the query you just created.

                       

                      HTH -

                       

                      Joe

                      1 of 1 people found this helpful
                      • 8. Re: How to deal with False Positives

                        Can't forget about how the EPO server actually works. Almost every report you see in the EPO server is actually a pre-made query that was included with the EPO server. You can create a query to report just about anything, and modify previous queries through new queries. However, there's about a billion different criteria you can query on so it can be a bit complex. I know most people probably see the reports as a giant text file hidden away deep within the directories of the server, immutable and inflexible. Some of the programs we have work this way, and if you want to get information out it's just about impposible without an external program. Maybe have a bullet point on the sales site?

                        • 9. Re: How to deal with False Positives

                          thanks guys. I manage to filter out the event IDs and purge them out.