Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 1 subscriber
  • Views 2828 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Application control false positive

SysM3m

Using sec 5 and end point 10.

I have blocked vaious applications using the application control feature. But I have noticed that a lot of the clients get false positive alerts in their detection list. This is a result of the weekly scan and it is detecting the likes of telnet and ftp within winxs folder and not when they are used, just the mere existence of the application exe. Surely the application control should be for use of applications and not the mere existence?

I don't want to have to manually add exclusion for these exe because they may be worth blocking the use of the application but as they are standard windows components I can't remove them. I don't want to add exclusion for winxs folder because some malware hides in that folder.

I realy like the application control feature but having all these false positives is kind of annoying, i find false positves in general can be dangerous because a) it prevents people from taking note of real issues b) it could quanantine valid exe or dll.

On another note where do i report false positives for on access can beacuse we have a dictation software called winscribe that recently had a bunch of their dll quanantined by on access scan and i had to add the winscribe folder to exclusion list.

File "C:\Program Files\WinScribe\Author\Interop.mscoree.dll" belongs to virus/spyware 'Mal/Generic-L'.

:34745


This thread was automatically locked due to age.
Parents
  • 0

    In your application control policy, you can enable scanning via OnAccess or via OnDemand/Scheduled scans. You can use one or the other, or both. It sounds like you have both enabled, so I would suggest enabling this feature solely for OnAccess scanning and see if that gives you the behavior you are looking for.

    Regarding suspected false positives, your best bet is to submit a sample to our Labs for analysis. It is possible that a legitimate file has been apended with viral code, or it's possible that the definition was a bit too aggressive. In either case, the Labs can confirm if the file is clean, and if the definition was too aggressive they can revise it so that the file is no longer detected.

    :34747
Reply
  • 0

    In your application control policy, you can enable scanning via OnAccess or via OnDemand/Scheduled scans. You can use one or the other, or both. It sounds like you have both enabled, so I would suggest enabling this feature solely for OnAccess scanning and see if that gives you the behavior you are looking for.

    Regarding suspected false positives, your best bet is to submit a sample to our Labs for analysis. It is possible that a legitimate file has been apended with viral code, or it's possible that the definition was a bit too aggressive. In either case, the Labs can confirm if the file is clean, and if the definition was too aggressive they can revise it so that the file is no longer detected.

    :34747
Children
No Data