False positive detections

The following example use case shows you how to reduce false positive detections. You can use this approach on most of the false positives.

1.Navigate to Dashboard and switch to Executables tab. You will see Problematic Executables at the bottom right. Sort the table by Column_Descending Unresolved (descending) to see the executables that are responsible for the most detections.

2.Right-click the top executable and choose Detections. In this example, the googleupdate.exe process has a high number of detections. Use the filter to group detections by Rules. You will see the rule was triggered 2475 times:

fp_detections

3.The Potential credential dumping rule was triggered on several computers, all with a similar command line. Select a rule and click Create exclusion. In Criteria, select Process path starts with and Cmd. line contains check boxes, and deselect Computer is one of. It is better to use generic attributes such as folders, signatures, and command line options. Avoid using hashes or computer names in exclusions. Otherwise, you will be hiring a new colleague only to keep up with changing hashes.

fp_detection_rule

4.Click Continue and make sure the Auto-resolving option is selected to have all future detections resolved. Enabling this option will also resolve all past detections matching this exclusion (this could take one day to happen).

5.Navigate to Admin > Tasks tab to view the progress of the resolving task. Depending on the size of your database, this could take several hours or days. It shows you how many detections were hit by this exclusion.

note

Note

Repeat this process on other false positives until you create exclusions for most outlier detections.