False positive detections

The following example use case shows you how to reduce false positive detections. You can use this approach on most of the false positives.

1.Navigate to Dashboard and switch to Executables tab. You will see Problematic Executables at the bottom right. Sort the table by Unresolved (descending) to see the executables that are responsible for the most detections.

2.Right-click the top executable and choose Detections. In this example, the googleupdate.exe process has a high number of detections. Use the filter to group detections by Rules. You will see the rule was triggered 2475 times:

3.The Potential credential dumping rule was triggered on several computers, all with a similar command line. Select a rule and click Create exclusion. In Criteria, select Process path starts with and Cmd. line contains check boxes. It is better to use generic attributes such as folders, signatures, and command line options. Avoid using hashes in exclusions. Otherwise, you will be hiring a new colleague only to keep up with changing hashes.

4.Click Continue and make sure the Auto-resolving option is selected to have all future detections resolved. Enabling this option will also resolve all past detections matching this exclusion (this could take one day to happen).

5.Click Continue, then click Assign to select computers or groups where you want this exclusion to apply and click OK.

6.Click Continue and review the summary of configured settings in the Exclusion preview. Verify all the settings for this exclusion and click Create exclusion.

7.Navigate to More > Tasks tab to view the progress of the resolving task. Depending on the size of your database, this could take several hours or days. It shows you how many detections were hit by this exclusion.