Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Chinmaya_Naik
Advisor

False Positive on logs (Sandblast Agent) on BANKING Sites

Jump to solution

Dear Team,

Setup:

Endpoint Server

OS: GAIA R77.30 with 143 hotfix and R77.30 Adds on package installed.

Client Package : E80.87

 

Blade Enabled:

 

1.Sandblast Agent Anti-Ransomware, behavioral guard and Forensics
2.Sandblast Agent Anti-Bot
3.Sandblast Agent Threat extraction and emulation

We use TE appliance for extraction and emulation (Local Emulation).

Scenario : We visit some banking sites where we able to access the websites and even we see the Sandblast agent extension popup show "Scanned Phishing verified by Zero Phishing"

Some are GOVT websites like IRCTC (railway sites of India) 

Some are BANKING Sites

BUT as we see on logs and find below result. 

This is completely unbelievable

Showing:-

Severity:03

Confidence Level: High

Protection Name: Deceptive site Detection

Protection Type: Phishing Prevention

Please HELP me to resolve the issue.

#Chinmaya Naik (INDIA)

0 Kudos
1 Solution

Accepted Solutions
Gal_Carmeli
Employee
Employee

Hi,

The issue is a known bug in E80.87 and E80.88 in which the wrong log is sent in the case a potential phishing site was found to be benign.

The issue is fixed in E80.89 which will be released soon.

As a workaround, you can change the policy and disable the "Send log on each scanned site" on the Zero Phishing Settings. By that, logs will be sent only for sites that were found malicious, and this confusion will be avoided.

Here

Sorry for the inconvenience,,,

Gal.

View solution in original post

11 Replies
G_W_Albrecht
Legend
Legend

Sorry, but is do not fully understand the Issue: i read that you can use these sites successfully, but logs show phishing detected ? Or are the sites working no more ?

0 Kudos
_Val_
Admin
Admin

I am at a loss too. The logs in the screenshot are not those for the website in question. What is the issue, actually?

0 Kudos
Chinmaya_Naik
Advisor

Dear Günther and Valeri,

 

We able to access the banking sites without any issue but on the logs section, it showing phishing event and description site as banking sites. see the screenshot. (below logs for railway reservation sites)

0 Kudos
_Val_
Admin
Admin

Open a case with TAC for that, please

0 Kudos
G_W_Albrecht
Legend
Legend

Maybe not really very helpfull, but: Current GA Jumbo Take is Take_338 and used Take 143 is from 21. Apr 2016...

Chinmaya_Naik
Advisor

Ok, I will update the status once I installed the latest jumbo Take_338.

Thanks, Günther and Valeri Smiley Happy  thanks for the suggestion 

0 Kudos
_Val_
Admin
Admin

Please keep us posted here about the results

0 Kudos
Chinmaya_Naik
Advisor

Yes sure I will update

Or else do you think that  upgrade to R80.20 is resolve the problem.

0 Kudos
G_W_Albrecht
Legend
Legend

I would start with a small step and install the newer Jumbo Take first 😉

0 Kudos
Gal_Carmeli
Employee
Employee

Hi,

The issue is a known bug in E80.87 and E80.88 in which the wrong log is sent in the case a potential phishing site was found to be benign.

The issue is fixed in E80.89 which will be released soon.

As a workaround, you can change the policy and disable the "Send log on each scanned site" on the Zero Phishing Settings. By that, logs will be sent only for sites that were found malicious, and this confusion will be avoided.

Here

Sorry for the inconvenience,,,

Gal.

View solution in original post

Chinmaya_Naik
Advisor

Thank you so much Gal  for this information

We will wait for the next E80.89 package and will update the status as well its work for us or not.

Thank you Smiley Happy

0 Kudos