cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

False Positive on logs (Sandblast Agent) on BANKING Sites

Jump to solution

Dear Team,

Setup:

Endpoint Server

OS: GAIA R77.30 with 143 hotfix and R77.30 Adds on package installed.

Client Package : E80.87

 

Blade Enabled:

 

1.Sandblast Agent Anti-Ransomware, behavioral guard and Forensics
2.Sandblast Agent Anti-Bot
3.Sandblast Agent Threat extraction and emulation

We use TE appliance for extraction and emulation (Local Emulation).

Scenario : We visit some banking sites where we able to access the websites and even we see the Sandblast agent extension popup show "Scanned Phishing verified by Zero Phishing"

Some are GOVT websites like IRCTC (railway sites of India) 

Some are BANKING Sites

BUT as we see on logs and find below result. 

This is completely unbelievable

Showing:-

Severity:03

Confidence Level: High

Protection Name: Deceptive site Detection

Protection Type: Phishing Prevention

Please HELP me to resolve the issue.

#Chinmaya Naik (INDIA)

0 Kudos
1 Solution

Accepted Solutions
Employee
Employee

Re: False Positive on logs (Sandblast Agent) on BANKING Sites

Jump to solution

Hi,

The issue is a known bug in E80.87 and E80.88 in which the wrong log is sent in the case a potential phishing site was found to be benign.

The issue is fixed in E80.89 which will be released soon.

As a workaround, you can change the policy and disable the "Send log on each scanned site" on the Zero Phishing Settings. By that, logs will be sent only for sites that were found malicious, and this confusion will be avoided.

Here

Sorry for the inconvenience,,,

Gal.

11 Replies

Re: False Positive on logs (Sandblast Agent) on BANKING Sites

Jump to solution

Sorry, but is do not fully understand the Issue: i read that you can use these sites successfully, but logs show phishing detected ? Or are the sites working no more ?

0 Kudos

Re: False Positive on logs (Sandblast Agent) on BANKING Sites

Jump to solution

I am at a loss too. The logs in the screenshot are not those for the website in question. What is the issue, actually?

0 Kudos

Re: False Positive on logs (Sandblast Agent) on BANKING Sites

Jump to solution

Dear Günther and Valeri,

 

We able to access the banking sites without any issue but on the logs section, it showing phishing event and description site as banking sites. see the screenshot. (below logs for railway reservation sites)

0 Kudos

Re: False Positive on logs (Sandblast Agent) on BANKING Sites

Jump to solution

Open a case with TAC for that, please

0 Kudos

Re: False Positive on logs (Sandblast Agent) on BANKING Sites

Jump to solution

Maybe not really very helpfull, but: Current GA Jumbo Take is Take_338 and used Take 143 is from 21. Apr 2016...

Re: False Positive on logs (Sandblast Agent) on BANKING Sites

Jump to solution

Ok, I will update the status once I installed the latest jumbo Take_338.

Thanks, Günther and Valeri Smiley Happy  thanks for the suggestion 

0 Kudos

Re: False Positive on logs (Sandblast Agent) on BANKING Sites

Jump to solution

Please keep us posted here about the results

0 Kudos

Re: False Positive on logs (Sandblast Agent) on BANKING Sites

Jump to solution

Yes sure I will update

Or else do you think that  upgrade to R80.20 is resolve the problem.

0 Kudos

Re: False Positive on logs (Sandblast Agent) on BANKING Sites

Jump to solution

I would start with a small step and install the newer Jumbo Take first 😉

0 Kudos
Employee
Employee

Re: False Positive on logs (Sandblast Agent) on BANKING Sites

Jump to solution

Hi,

The issue is a known bug in E80.87 and E80.88 in which the wrong log is sent in the case a potential phishing site was found to be benign.

The issue is fixed in E80.89 which will be released soon.

As a workaround, you can change the policy and disable the "Send log on each scanned site" on the Zero Phishing Settings. By that, logs will be sent only for sites that were found malicious, and this confusion will be avoided.

Here

Sorry for the inconvenience,,,

Gal.

Re: False Positive on logs (Sandblast Agent) on BANKING Sites

Jump to solution

Thank you so much Gal  for this information

We will wait for the next E80.89 package and will update the status as well its work for us or not.

Thank you Smiley Happy

0 Kudos