False Positives with Endpoint Harmony

jberg712 · ‎2021-11-16

I wanted to get the communities take on this. We've been running Endpoint in our environment for a couple of years. We've had a lot of growing pains with Endpoint from FDE issues and windows updates to now it's False Positives. I am constantly getting notifications of False Positives and we go through seasons where we'll have a few weeks of relief but then all of a sudden we start seeing A LOT.

One we had yesterday was regarded to a setup file for an older version of Winzip that popped up out of nowhere and quarantined the file. Today, it's a DLL to a program that runs bash on a windows system that has been there for months. It really makes no logical sense.

I want to know, are we the only ones fighting this battle? What are others doing to mitigate these besides just adding exceptions all the time because it wastes a lot of time when we come in in the morning and find emails of events that quarantined files that are not malicious?? It'seither by the forensics blade, antimalware blade, or the anti-ransomware blade.

the_rock · ‎2021-11-16

I will ask one of my colleagues who is real good with this product, as Im more of a firewall guy, but from what I recall, I believe there are customers doing it exact same way. though does not sound like something you should have to do constantly, specially considering the fact it could be false positive.

jberg712 · ‎2021-11-16

Thank you. I agree rock. It really has been an ongoing battle and it seems to happen in seasons. We may go a couple of weeks without an event but then all of a sudden an update happens to the virus definitions or something and we start getting hits from multiple systems at times.

the_rock · ‎2021-11-16

I emailed my colleague, so will let you know what he says.

Cheers.

MikeB · ‎2021-11-16

What version of Endpoints do you have deployed? Which modules are detecting the "false positives"?

jberg712 · ‎2021-11-18

Mike right now we are running a mix of E85.40 and E86.00. We've been having more TE, Antimalware, and BG than anything. In the past we would have Antiransomware, but those are very far few and in between.

frankbt · ‎2024-05-30

Hi MikeB,

I know it is an old post but , since it's still true in 2024, you, MikeB are pointing right at it.

We don't care what blade/module it is, what we need a simple button to report false positive from any of your too many consoles.

I can't even see clearly from my dashboard which blade is involved

Aside creating a fake button that SHOULD BE sending client logs to Checkpoint from the harmony console, what did checkpoint do to ease this process for the clients?

Nothing personal here Mike, if you're still working at checkpoint...

But I think Checkpoint should spend little less resources "spamming" their inbox and more time taking notes of customer feedback and improve their product

Doron_Zuckerman · ‎2021-11-17

Hello Jonathan,

My name is Doron and I’m the team lead of the Static Analysis and Threat Emulation teams for Harmony EndPoint.

I noticed your post on CheckMates about the false positives by Anti-Malware, Anti-Ransomware and Forensicss blades.

Since some files are updated after our signatures are delivered, false positives may occur from time to time.

For further inspection and preventing this in the future, can you please share some additional information about the false positives you experienced and attach the Forensics reports from: C:\ProgramData\CheckPoint\DBStore\Events folder on the relevant machines?

Also, for these files, can you please share the files with us for further analysis with regards to why those files were detected?

I have sent you an email about this, let's continue the discussion there.

Thank you,

Doron Zuckerman | Harmony EndPoint Static Analysis ML and Emulation Team Lead

Check Point Software Technologies Ltd. | M +972-54-345-3459 | doronzu@checkpoint.com

MRE007

Hallo,

wir haben auch so ein Problem mit False / Positve, dass sind mal Programme aus dem Systemumfeld (Microsoft) oder aber, wie aktuell, Excel Files. Nicht etwas perse alle Excel Files sondern einige wenige, die Firmenintern für Abrechnungen verwendet werden.

Wochenlang keine Probleme mit diesen Files dann aber ein / zwei Tage lang. Die Files werden nicht aktualisiert gespeichert sondern "repariert" und ohne Änderungen (die erfolgten durch die Anwender) weggespeichert.

Dann nach den ein / zwei Tagen mit diesem Problem ist wieder alles in Ordnung.

Der Support leifert keine Lösungen, obwohl wir dies schon in 2024 zweimal als Supportfall meldeten.

Die Kommunikation ist ohnehin schlecht, dauert und zieht sich. Oft bekommt man über Tage hinweg keine Rückmeldungen.

Gruss

MRE007

Hello, we also have a problem with False / Positve, which are sometimes programmes from the system environment (Microsoft) or, as is currently the case, Excel files. Not all Excel files, but a few that are used internally for billing. No problems with these files for weeks, but then for a day or two. The files are not saved updated but "repaired" and saved away without any changes (which were made by the users). Then after a day or two with this problem, everything is fine again. Support does not provide any solutions, although we already reported this twice as a support case in 2024. Communication is poor anyway, takes time and drags on. You often don't get any feedback for days. Greetings

Are you a member of CheckMates?

False Positives with Endpoint Harmony