Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 1 subscriber
  • Views 2826 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Application control false positive

SysM3m

Using sec 5 and end point 10.

I have blocked vaious applications using the application control feature. But I have noticed that a lot of the clients get false positive alerts in their detection list. This is a result of the weekly scan and it is detecting the likes of telnet and ftp within winxs folder and not when they are used, just the mere existence of the application exe. Surely the application control should be for use of applications and not the mere existence?

I don't want to have to manually add exclusion for these exe because they may be worth blocking the use of the application but as they are standard windows components I can't remove them. I don't want to add exclusion for winxs folder because some malware hides in that folder.

I realy like the application control feature but having all these false positives is kind of annoying, i find false positves in general can be dangerous because a) it prevents people from taking note of real issues b) it could quanantine valid exe or dll.

On another note where do i report false positives for on access can beacuse we have a dictation software called winscribe that recently had a bunch of their dll quanantined by on access scan and i had to add the winscribe folder to exclusion list.

File "C:\Program Files\WinScribe\Author\Interop.mscoree.dll" belongs to virus/spyware 'Mal/Generic-L'.

:34745


This thread was automatically locked due to age.
  • 0

    In your application control policy, you can enable scanning via OnAccess or via OnDemand/Scheduled scans. You can use one or the other, or both. It sounds like you have both enabled, so I would suggest enabling this feature solely for OnAccess scanning and see if that gives you the behavior you are looking for.

    Regarding suspected false positives, your best bet is to submit a sample to our Labs for analysis. It is possible that a legitimate file has been apended with viral code, or it's possible that the definition was a bit too aggressive. In either case, the Labs can confirm if the file is clean, and if the definition was too aggressive they can revise it so that the file is no longer detected.

    :34747
  • 0

    Thanks for reply. I will disable app control for weekly scan did not think of that option. A lot of the alerts on the client pcs for applications detected in the weekly scan are just warnings and were not moved or deleted but they have filled up the quarantine manager. But they don't show on the SEC as clearable items or acknowledgeable items, Is there away i can clear off these quarantine warnings from SEC ?

    :34749
  • 0

    Hi,

    Unfortunately, the endpoint QM can't be cleared by SEC unless the item has a cleanup action. Part of the cleanup removes the alert from the endpoint QM. So no cleanup action from SEC means no way to centrally clear the QM. Manually clearing the endpoint QM would be required, though if that isn't viable for you I would recommend raising a support ticket as it may be possible to accomplish this via other methods. (e.g., deleting the quarantine.xml file from the endpoint via a script)

    :34751
  • 0

    That seems kind of odd that there is no way to clear the alerts.

    For one, users have the "user" permission so they can not clear the QM and second, if the SEC can not clear them because they do not register with SEC, how can we find out about these sorts of alerts from SEC. No email alert was made for all these alerts from the weekly scan. They are application control alerts. Is there a part of a policy that controls the alerts for this type of event?

    Is there any plans on enabling the QM to be cleared from the SEC for all users or somethign similar? I don't realy want to do manual methods of deleting the xml file or asking users to clear out the QM.

    Seems like strange issue for such a good software, what is best practice for this? i can't be the only one with this situation. What is the logic behind not being able to clear out the QM? Was it just over looked by the devs ? Is it for logging purposes only.

    I mean it is not such a big problem it is just if users have all these alerts in their QM then when they do get a real alert they may not take it too seriously. Also it can generate support calls because users call us about the alerts and we tell them to ignore them and all round not very ideal. It is also a bit cosmetic as well. It looks better when it is all clear etc.

    :34753