Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
jberg712
Contributor

False Positives with Endpoint Harmony

I wanted to get the communities take on this.  We've been running Endpoint in our environment for a couple of years.  We've had a lot of growing pains with Endpoint from FDE issues and windows updates to now it's False Positives.  I am constantly getting notifications of False Positives and we go through seasons where we'll have a few weeks of relief but then all of a sudden we start seeing A LOT. 

One we had yesterday was regarded to a setup file for an older version of Winzip that popped up out of nowhere and quarantined the file.  Today, it's a DLL to a program that runs bash on a windows system that has been there for months.  It really makes no logical sense.

I want to know, are we the only ones fighting this battle?  What are others doing to mitigate these besides just adding exceptions all the time because it wastes a lot of time when we come in in the morning and find emails of events that quarantined files that are not malicious?? It'seither by the forensics blade, antimalware blade, or the anti-ransomware blade.

  

0 Kudos
6 Replies
the_rock
Legend
Legend

I will ask one of my colleagues who is real good with this product, as Im more of a firewall guy, but from what I recall, I believe there are customers doing it exact same way. though does not sound like something you should have to do constantly, specially considering the fact it could be false positive.

0 Kudos
jberg712
Contributor

Thank you.  I agree rock.  It really has been an ongoing battle and it seems to happen in seasons.  We may go a couple of weeks without an event but then all of a sudden an update happens to the virus definitions or something and we start getting hits from multiple systems at times.  

the_rock
Legend
Legend

I emailed my colleague, so will let you know what he says.

 

Cheers.

0 Kudos
MikeB
Advisor

What version of Endpoints do you have deployed? Which modules are detecting the "false positives"?

0 Kudos
jberg712
Contributor

Mike right now we are running a mix of E85.40 and E86.00.  We've been having more TE, Antimalware, and BG than anything.  In the past we would have Antiransomware, but those are very far few and in between.  

0 Kudos
Doron_Zuckerman
Employee
Employee

Hello Jonathan,

My name is Doron and I’m the team lead of the Static Analysis and Threat Emulation teams for Harmony EndPoint.

I noticed your post on CheckMates about the false positives by Anti-Malware, Anti-Ransomware and Forensicss blades.

 

Since some files are updated after our signatures are delivered, false positives may occur from time to time.

 

For further inspection and preventing this in the future, can you please share some additional information about the false positives you experienced and attach the Forensics reports from: C:\ProgramData\CheckPoint\DBStore\Events folder on the relevant machines?

 

Also, for these files, can you please share the files with us for further analysis with regards to why those files were detected?

I have sent you an email about this, let's continue the discussion there.

 

Thank you,

 

Doron Zuckerman | Harmony EndPoint Static Analysis ML and Emulation Team Lead

Check Point Software Technologies Ltd. | M +972-54-345-3459 | doronzu@checkpoint.com

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events