topic Re: False Positive on logs (Sandblast Agent) on BANKING Sites in Endpoint

False Positive on logs (Sandblast Agent) on BANKING Sites

Chinmaya_Naik — Thu, 29 Nov 2018 10:50:16 GMT

Dear Team,

Setup:

Endpoint Server

OS: GAIA R77.30 with 143 hotfix and R77.30 Adds on package installed.

Client Package : E80.87

Blade Enabled:

1.Sandblast Agent Anti-Ransomware, behavioral guard and Forensics
2.Sandblast Agent Anti-Bot
3.Sandblast Agent Threat extraction and emulation

We use TE appliance for extraction and emulation (Local Emulation).

Scenario : We visit some banking sites where we able to access the websites and even we see the Sandblast agent extension popup show "Scanned Phishing verified by Zero Phishing"

Some are GOVT websites like IRCTC (railway sites of India)

Some are BANKING Sites

BUT as we see on logs and find below result.

This is completely unbelievable

Showing:-

Severity:03

Confidence Level: High

Protection Name: Deceptive site Detection

Protection Type: Phishing Prevention

Please HELP me to resolve the issue.

#Chinmaya Naik (INDIA)

Re: False Positive on logs (Sandblast Agent) on BANKING Sites

G_W_Albrecht — Thu, 29 Nov 2018 12:11:54 GMT

Sorry, but is do not fully understand the Issue: i read that you can use these sites successfully, but logs show phishing detected ? Or are the sites working no more ?

Re: False Positive on logs (Sandblast Agent) on BANKING Sites

_Val_ — Thu, 29 Nov 2018 12:24:56 GMT

I am at a loss too. The logs in the screenshot are not those for the website in question. What is the issue, actually?

Re: False Positive on logs (Sandblast Agent) on BANKING Sites

Chinmaya_Naik — Thu, 29 Nov 2018 12:37:32 GMT

Dear Günther and Valeri,

We able to access the banking sites without any issue but on the logs section, it showing phishing event and description site as banking sites. see the screenshot. (below logs for railway reservation sites)

Re: False Positive on logs (Sandblast Agent) on BANKING Sites

_Val_ — Thu, 29 Nov 2018 12:43:06 GMT

Open a case with TAC for that, please

Re: False Positive on logs (Sandblast Agent) on BANKING Sites

G_W_Albrecht — Thu, 29 Nov 2018 12:45:44 GMT

Maybe not really very helpfull, but: Current GA Jumbo Take is Take_338 and used Take 143 is from 21. Apr 2016...

Re: False Positive on logs (Sandblast Agent) on BANKING Sites

Chinmaya_Naik — Thu, 29 Nov 2018 13:11:59 GMT

Ok, I will update the status once I installed the latest jumbo Take_338.

Thanks, Günther and Valeri thanks for the suggestion

Re: False Positive on logs (Sandblast Agent) on BANKING Sites

_Val_ — Thu, 29 Nov 2018 13:32:22 GMT

Please keep us posted here about the results

Re: False Positive on logs (Sandblast Agent) on BANKING Sites

Chinmaya_Naik — Fri, 30 Nov 2018 04:48:25 GMT

Yes sure I will update

Or else do you think that upgrade to R80.20 is resolve the problem.

Re: False Positive on logs (Sandblast Agent) on BANKING Sites

G_W_Albrecht — Fri, 30 Nov 2018 08:40:18 GMT

I would start with a small step and install the newer Jumbo Take first 😉

Re: False Positive on logs (Sandblast Agent) on BANKING Sites

Gal_Carmeli — Fri, 30 Nov 2018 09:27:54 GMT

Hi,

The issue is a known bug in E80.87 and E80.88 in which the wrong log is sent in the case a potential phishing site was found to be benign.

The issue is fixed in E80.89 which will be released soon.

As a workaround, you can change the policy and disable the "Send log on each scanned site" on the Zero Phishing Settings. By that, logs will be sent only for sites that were found malicious, and this confusion will be avoided.

Sorry for the inconvenience,,,

Gal.

Re: False Positive on logs (Sandblast Agent) on BANKING Sites

Chinmaya_Naik — Wed, 05 Dec 2018 16:24:49 GMT

Thank you so much Gal for this information

We will wait for the next E80.89 package and will update the status as well its work for us or not.

Thank you