1 Reply Latest reply on Apr 18, 2013 5:25 AM by Attila Polinger

    Detecting False Positives in Threat Events

      Hello,

       

      I'm currently experiencing a high number of threat events on various client computers.

       

      Alot of these threats are suposedly trying to terminate the McAfee process, but due to the sheer number of threats, it seems unlikely they are all legitimate.

       

      I'm wondering if there is an easy way to detect whether a threat is legitimate or not before checking a clients computer and potentially wasting their and my time.

       

      Any help is appreciated.

        • 1. Re: Detecting False Positives in Threat Events
          Attila Polinger

          Hello,

           

          I'd consider the following practice useful (although not an easy one): create a query which is in a multiple level table format and filter it according to the desired Access Protection rule. When running the query, you'll have all the processes for which the rule has triggered (and possibly you can see how many times. The number of times is also a suspicion factor depending on the query interval).

          Now it needs some human intelligence and investigation, but roughly you could see which processes are most suspicious and which are likely not.

           

          I would consider such suspicious process to be like svchost.exe, lsass.exe, etc., all that are Windows system processes or even other processes that, as shown, reside in a very unusual folder (like Temp folder, user's folder, etc.). Other processes that are seemingly belonging to other well known or unknown applications, might be investigated. Some other applications like management clients might be considered to be excluded from the rule (after testing whether they are really want to terminate).

           

          You did not specify it, but I assume the rule itself notifies and blocks at the same time.

           

          Attila

           

          Message was edited by: apoling on 18/04/13 12:25:50 CEST