This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
APT_Protection
Participant
‎2022-12-05 09:03 AM

Threat-Emulation false-positives after detection rule update

Hello,

maybe someone else experience the same at the moment. I can see a lot of potential false-positive detections via Threat-Emulation today.

They all have in common, that these detections are from Win10 vm environment, which was the only one that got an detection rule update today. I think todays detection rule update introduced a problematic detection.

 

All false-positives have the same single activity in the report:

Suspicious Process activity C:\Windows\splwow64.exe (Start)

 

Detection Rules

============================================== Win10 64b,Office 2016,Adobe DC ------------------------------ UID: 10b4a9c6-e414-425c-ae8b-fe4dd7b25244

Revision: 59312 Status: Ready Size: 118.61KB Start Download Time: Tue Nov 22 19:00:57 2022

Revision: 59314 Status: Ready Size: 118.42KB Start Download Time: Mon Dec 5 15:27:25 2022

 

The other vm detection rules werent updated today and they dont show this Suspicious Process activity...

 

br

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2022-12-05 10:15 AM

False positives do happen from time to time and should be reported to the TAC.

0 Kudos
APT_Protection
Participant
‎2022-12-05 10:58 AM
In response to PhoneBoy

Its not only a normal false-positive...

Almost every emulation via win10 vm was detected as malicious because of this new detection rule. I had to disable the win10 vm as a workaround.

0 Kudos
asafav
Employee
Employee
‎2022-12-06 07:19 AM
In response to APT_Protection

Hi,

A single Detection-rules signature was causing a high FP rate.

New Detection-rules package has been just released fixing the issue.

You can force update your Detection-rules package using "tecli advanced download update rules".

Sorry for the inconvenience.

 

Asaf,

Threat Emulation R&D 

APT_Protection
Participant
‎2022-12-06 07:56 AM
In response to asafav

Hi Asaf,

alright, thanks for the information!

 

The update worked so far in my lab. my testfiles(fp's)are now handled "normally"...

I will role this out in our production step by step and monitor the situation.

 

br

Ronny

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top