Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 1 subscriber
  • Views 2826 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Application control false positive

SysM3m

Using sec 5 and end point 10.

I have blocked vaious applications using the application control feature. But I have noticed that a lot of the clients get false positive alerts in their detection list. This is a result of the weekly scan and it is detecting the likes of telnet and ftp within winxs folder and not when they are used, just the mere existence of the application exe. Surely the application control should be for use of applications and not the mere existence?

I don't want to have to manually add exclusion for these exe because they may be worth blocking the use of the application but as they are standard windows components I can't remove them. I don't want to add exclusion for winxs folder because some malware hides in that folder.

I realy like the application control feature but having all these false positives is kind of annoying, i find false positves in general can be dangerous because a) it prevents people from taking note of real issues b) it could quanantine valid exe or dll.

On another note where do i report false positives for on access can beacuse we have a dictation software called winscribe that recently had a bunch of their dll quanantined by on access scan and i had to add the winscribe folder to exclusion list.

File "C:\Program Files\WinScribe\Author\Interop.mscoree.dll" belongs to virus/spyware 'Mal/Generic-L'.

:34745


This thread was automatically locked due to age.
Parents
  • 0

    That seems kind of odd that there is no way to clear the alerts.

    For one, users have the "user" permission so they can not clear the QM and second, if the SEC can not clear them because they do not register with SEC, how can we find out about these sorts of alerts from SEC. No email alert was made for all these alerts from the weekly scan. They are application control alerts. Is there a part of a policy that controls the alerts for this type of event?

    Is there any plans on enabling the QM to be cleared from the SEC for all users or somethign similar? I don't realy want to do manual methods of deleting the xml file or asking users to clear out the QM.

    Seems like strange issue for such a good software, what is best practice for this? i can't be the only one with this situation. What is the logic behind not being able to clear out the QM? Was it just over looked by the devs ? Is it for logging purposes only.

    I mean it is not such a big problem it is just if users have all these alerts in their QM then when they do get a real alert they may not take it too seriously. Also it can generate support calls because users call us about the alerts and we tell them to ignore them and all round not very ideal. It is also a bit cosmetic as well. It looks better when it is all clear etc.

    :34753
Reply
  • 0

    That seems kind of odd that there is no way to clear the alerts.

    For one, users have the "user" permission so they can not clear the QM and second, if the SEC can not clear them because they do not register with SEC, how can we find out about these sorts of alerts from SEC. No email alert was made for all these alerts from the weekly scan. They are application control alerts. Is there a part of a policy that controls the alerts for this type of event?

    Is there any plans on enabling the QM to be cleared from the SEC for all users or somethign similar? I don't realy want to do manual methods of deleting the xml file or asking users to clear out the QM.

    Seems like strange issue for such a good software, what is best practice for this? i can't be the only one with this situation. What is the logic behind not being able to clear out the QM? Was it just over looked by the devs ? Is it for logging purposes only.

    I mean it is not such a big problem it is just if users have all these alerts in their QM then when they do get a real alert they may not take it too seriously. Also it can generate support calls because users call us about the alerts and we tell them to ignore them and all round not very ideal. It is also a bit cosmetic as well. It looks better when it is all clear etc.

    :34753
Children
No Data