4 Replies Latest reply on Jan 4, 2017 4:20 AM by renehoffmann

    Endpoint Security 10.5 "False Positive Mitigation"

    nathan_2000

      Hello all,

       

      I'm still testing ENS 10.5 and get some events with the Threat Description " False Positiv Mitigation". The action is taken is allowed. I know that this is a new function in ENS 10.5, but does anybody knows how this works? Get I this mitigation only if my system is connected to the internet or does it also works if the system in offline.

      Regards

       

      Mike

        • 1. Re: Endpoint Security 10.5 "False Positive Mitigation"
          Troja

          Hello,

          from my point of information or understanding the feature works like this.

           

          Endpoint executes a file which is unknown in the Engine. Therefore TIE is queried. There is also some "activity" detected by Adaptive Threat Prevention. But, based on TIE information the endpoint knows the file is clean.

           

          Which Reputation levels are shown in EPO under TIE Reputations for this file?

          Cheers

          • 2. Re: Endpoint Security 10.5 "False Positive Mitigation"
            nathan_2000

            There is no TIE Server involved, so I can't see any Reputationinformation.

            Falsepositiv_mitigation.JPG

            Cheers

            • 3. Re: Endpoint Security 10.5 "False Positive Mitigation"
              Troja

              How about the ENS 10.5 LOGs, have you checked this in detail if there is some more information?

              Cheers

              • 4. Re: Endpoint Security 10.5 "False Positive Mitigation"
                renehoffmann

                Hello,

                 

                in some cases the client doesn´t receive the right reputation for a file (maybe in one from 1000 requests). Then the local TIE rules will be processed and the client recognices that this file is a "false positive". Then the client changes the reputation localy that the system can work fine....you can see this in the TIE debug log...

                 

                12/30/2016 11:49:44.215 AM   mfetie(3840.3112) <SYSTEM> ReputationBO.REPUTATION.Debug: [0xc28] Handling rule 35 : Installation Verification

                12/30/2016 11:49:44.230 AM   mfetie(3840.3112) <SYSTEM> ReputationBO.REPUTATION.Debug: [0xc28] Handling rule 37 : Real Protect Installation Verification

                12/30/2016 11:49:44.230 AM   mfetie(3840.3112) <SYSTEM> ReputationBO.REPUTATION.Debug: [0xc28] Handling rule 239 : Identify suspicious command parameter execution

                12/30/2016 11:49:44.230 AM   mfetie(3840.3112) <SYSTEM> ReputationBO.REPUTATION.Debug: [0xc28] Setting local reputation for (1)C:\WINDOWS\SYSWOW64\CRYPTDLL.DLL = 0

                12/30/2016 11:49:44.230 AM   mfetie(3840.3112) <SYSTEM> ReputationBO.REPUTATION.Debug: [0xc28] Handling rule 11 : Identify that the file is the main component of a trusted installer using the file's certificate reputation

                12/30/2016 11:49:44.230 AM   mfetie(3840.3112) <SYSTEM> ReputationBO.REPUTATION.Debug: [0xc28] Handling rule 10 : Identify that a file is the main component of a trusted installer using the file's reputation

                12/30/2016 11:49:44.230 AM   mfetie(3840.3112) <SYSTEM> ReputationBO.REPUTATION.Debug: [0xc28] Handling rule 12 : Identify that a file is the main component of a trusted installer based on a specific file identified by hash

                12/30/2016 11:49:44.246 AM   mfetie(3840.3112) <SYSTEM> ReputationBO.REPUTATION.Debug: [0xc28] Handling rule 55 : Identify certificates needing reputation correction

                12/30/2016 11:49:44.246 AM   mfetie(3840.3112) <SYSTEM> ReputationBO.REPUTATION.Debug: [0xc28] Gathering cert chains for C:\WINDOWS\SYSWOW64\CRYPTDLL.DLL

                 

                BR

                Rene