#Report file as false positive passwordIf you add the password infected, I N F E C T E D to that archive. And the process for doing that can vary depending on the platform. It’s always a good idea before sending this anywhere before sending it to your security team for analysis or before sending it to FireEye that we also password protect that. And once we have all of that, we’re also going to gather some additional information from the command line in just a moment.īut we can go in and we can either zip the files that we have in here now that we just downloaded, and then we can put those into a single ZIP folder. So be very careful that even though you suspect that this might not be malicious, it so could contain malware. Or this is the file that was flagged in association with this alert. Depending on the alert and the alert type, it may or may not have an object. The next thing you’re going to want to download is the archived object. And this could be useful in determining whether or not this is malicious. These pcaps are also very, very useful in seeing exactly what that traffic is and what it did. The next items are going to be these pcaps. As well as a description of why this was flagged as malicious. Any URLs that are in the alert and their redirection. Now the XML that we download contains all of the information that’s in these alert details. The first thing we’re going to want to gather is the XML. And if you can provide these things up front it can save a lot of time for you and for the support engineer. These are all things will probably be requested anyway. There’s some information that you can gather and send to FireEye support to help speed this to a faster resolution. And for whatever reason, maybe you recognize the md5 or the object that’s archived here or the URL and feel like this may not be malicious. When you go in to look at the alert details. When looking at alerts in your environment, you may come across an alert that you don’t feel is necessarily malicious. This will expedite the process of resolving false positives. #Report file as false positive how toToday we are going to demonstrate how to gather information for reporting a false positive to FireEye support. My name is Nate Hancock and I am a Support Engineer at FireEye.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |