4 Replies Latest reply on Mar 25, 2015 7:11 AM by vinoo

    GetSusp and False/Positives


      Hi all,

      actually we are unsing GetSusp at a customer with more than 10000 endpoints. The systems are tagged if there is one malware event. Afterwards GetSusp is started using EPO.


      If there is an false/positives, what should i do? Where i can report the false/positives??



        • 1. Re: GetSusp and False/Positives
          Vinod R

          If you still awaiting an answer let me know will alert someone with knowledge on EPO side of it.. but if its a FP usually the process is same across the board, you submit via myportal.. but let's hold on for an expert to comment

          • 2. Re: GetSusp and False/Positives

            If it's just unknown files being reported by GetSusp, - then run GetClean on a couple of clean images to mass whitelist the files in the customer environment. Post this, the noise from GetSusp scans should significantly reduce.



            If it's actual false positives (assumed_dirty, Trojan, Virus, Pup) being reported on files that you know are clean escalate to McAfee Labs via the usual support channels.

            • 3. Re: GetSusp and False/Positives

              Hi vinoo,

              actually the endpoints are spreaded around the world. Therefore we are using GetSusp with EPO.

              There is no change, many files are still reported as malware and a extra.dat file is sent to me. I sent many of this reports to support, still no change.


              Is there an EPO version of GetClean available?



              • 4. Re: GetSusp and False/Positives

                We intentionally don’t provide an ePO version of GetClean as this tool is not meant to be mass deployed but only run on GOLD COE images or clean file repositories.