4 Replies Latest reply on Jan 11, 2017 3:32 AM by peter.mason

    What´s Means Result of "Inconclusive" in Threat Analyzer

    bperez

      Recently we have been migrated to version 7.1.3.5 of NSM and in the threat Manager shows the result column as "inconclusive", in the KB56436 does not have that description.

       

      Any suggestions?

       

      Regards.

       

      Bernardo.

        • 1. Re: What´s Means Result of "Inconclusive" in Threat Analyzer
          bperez

          Thats the response from Support T1:

           

          • Attack Successful: the attack was either successful or possiblysuccessful. To easily find out if high-severity attacks have been successful,create a drill down alert result status for High Severity > Inbound >Successful.

          Keep this window open to know immediately when there isan attack that requires your immediate attention.

           

          • Inconclusive: theresult of the attack is not known. This is most likely due to a generic policy,such as the Default or All-Inclusive policy where the policy rules are notenvironment specific. For
          example this may be the result if an attack occurs against an irrelevant node.

           

          • Attack Failed: the attack had no impact.

           

          N/A: the alert was raised for suspicious, butnot necessarily malicious, traffic. This result is common for Reconnaissance attacksdue to the nature of port scanning and host sweeping.

           

          • Attack Blocked: attacks blocked by a "Drop packets" Sensorresponse.

           

          • DoS Blocking Activated: applies to DoS traffic and indicates that the Sensor hasidentified traffic that is suspicious in nature that is exceeding its learnedthreshold or is not recognized based on its profile. The Sensor has startedblocking unknown traffic, while attempting (on a packet-by-packet basis) toblock only DoS traffic from a trusted source. The Sensor attempts to allowlegitimate traffic to flow from the trusted source. Because of the nature ofDoS attacks, one cannot be certain that 100% of bad traffic was blocked, northat 100% of 'good' traffic was permitted. For more in-depth description ofMcAfee Network Security Platform's DoS handling, see Denial of Service inMcAfee Network Security Platform IPS Administration Guide

          • 2. Re: What´s Means Result of "Inconclusive" in Threat Analyzer

            Inconclusive was previously labeled "unknown" in prior releases.  They changed it to be more clear in 7.1.

            • 3. Re: What´s Means Result of "Inconclusive" in Threat Analyzer
              dotax

              I happened to came across this old thread when i google for this attack result.

              I wonder, how IPS able to determine the result of "inconclusive" , "attack successful" or "attack failed" of a list of attack under IPS Policy , which all response was set to "Send Alert to Manager" only? Since IPS is not able to know the details of the node behind it, how it able to determine whether it is successful, failed, or no result?

              • 4. Re: What´s Means Result of "Inconclusive" in Threat Analyzer
                peter.mason

                Hi Dotax,

                 

                Have a look at the section on Alert Relevance in the Network Security Platform IPS Admin Guide, it gives some explanation of how these results are calculated.

                 

                https://kc.mcafee.com/agent/index?page=content&id=KB76064

                 

                Regards

                 

                Peter