Best Practices - Handling False Positives

This article will help you understand why detections are marked as malicious or suspicious by SW EDR when you thought they were safe, how to analyze detections quickly to make a real decision, and what to do to get the fastest response from SolarWinds for real false positives.

Q: How can this be a real threat? It is a signed utility?

A: SentinelOne Security Best Practices advice: Analyze the behavior!

The EDR solution runs a Behavioral engine, an AI engine that implements advanced algorithms to detect malicious activities in real-time, when processes execute. We find malicious behavior where and when it happens. If a utility, file, process, or application that you trust is marked as suspicious or blocked as malicious, take a quick look. When you click a threat in Analyze, it opens the Incident details.

  • Look at the Indicators to see why the engine detected the file or behavior as malicious or suspicious. Indicators for Behavioral AI detections include references to the Mitre Attack Matrix and use the Mitre methodology and terminology for easy cross-reference.
  • Look at the Header to see the SolarWinds AI Confidence Level - Look at the Network History to understand where the threat is found and if someone has already analyzed it
  • Check the Explore tab of the Incident details - Did the threat try to change the registry? Did it try to change or remove specific files or paths? Check the context of each indicator and decide if that is acceptable, expected, and known behavior for the process.

We have seen trusted utilities that were manipulated and actually signed, that could have caused damage if EDR had not detected the bad behavior.

Q: Why is our proprietary script or file detected as a real threat?

A: SentinelOne Security Best Practices advise: Wait! Look!

Check the detection indicators. EDR can show you where coding may be improved for security.

Q: I might be seeing false positives for an application, but the bigger problem is that the application does not work as expected. What should I do?

A: Many applications write to secured locations, spawn processes, and otherwise behave in ways that are unacceptable in random downloads. If the Agent blocks a licensed application (such as AutoCAD, Docker, Veeam), you might require Interoperability Exclusions.

If the problem persists, open a ticket for SolarWinds Support.

There are different path exclusion modes. The interoperability articles instruct you to use the Interoperability exclusion mode to resolve the issues.

In some cases, you might need the Interoperability - extended mode, if the Interoperability mode does not resolve the issues. It is best to consult with Support first.

DO NOT use Performance Focus, or Performance Focus- extended modes unless you are instructed to do so by SolarWinds Support or Vigilance. These modes lower your SolarWinds protection significantly.

Q: I see a detection for a file that is not on the endpoint. What happened?

A: The Agent can sometimes catch a file during download and run the partial file through its engines. This does not happen often, but it is confusing when it does. If the detection is a file with extension .partial, .CRDOWNLOAD, .part, .tmp, or similar, it is a partial file.

To solve, you can make a DFI-mode exclusion for the default download path and the detected file extension. For example: %USERPROFILE%\Downloads\*.tmp

Now that we have filtered the false-positive list for real threats that behave badly, scripts and files to improve with secure coding, and interoperability exclusions when necessary, what do you do next?

Important

Be careful! If you create incorrect exclusions, you can open your environment to malware.

If the root of a threat group is suppressed, events of the entire group (including sub-processes) for the child processes are also suppressed.

Consult with SolarWinds Support before you use Interoperability or Performance exclusions. These modes not only suppress alerts but also lower the Agent's visibility of events and processes.

See also: Not Recommended Exclusions

If you are confident that you have a false positive detection:

  • Create a hash exclusion from the threat

Method 1

  • If this does not resolve the issue, continue to method 2

To add a hash exclusion automatically after threat analysis:

  1. Select Analyze from the left Nav bar Integrations > EDR menu
  2. Click a threat to open the Incident details
  3. In the header of the Incident details, click Actions and select Add To Exclusions
  4. In the New Exclusions dialog Hash usually shows as the Exclusion Type - If not, you can select it
  5. If Hash does not show as an option this means it is not available for this threat

    The OS, Hash, Scope, and Description are taken automatically from the threat.

    Best Practice: Keep all exclusions on the narrowest scope possible

  6. Click Save

If you still get the false positives continue to method 2

Method 2

Create a Suppress Alerts mode path exclusion from the threat. If possible, select the specific engine to suppress alerts from. Usually, one engine category is more responsible for the alerts. If this does not resolve the issue, open a ticket support.

  1. In the Incident details of a threat, find the detecting engine.
  2. In the header of the Incident details, click Actions and select Add To Exclusions
  3. Select Path Exclusion Type
  4. If Path does not show as an option this means it is not available for this threat

  5. Click More Options.
  6. Keep Suppress Alerts as the selected option
  7. Click All Engines and select the engine category that contains your detecting engine (from step 1)
  8. If there are multiple detecting engines, DFI and behavioral, you can exclude All engines

  9. Click Save

If you are not confident or want to consult with experts about the best exclusion for your environment, contact support

Best Practice: Information required by support to investigate

  1. Fetch Agent and endpoint logs.
  2. Open a ticket with SolarWinds Support. Ask for a sharefile link to upload your logs.
  3. When you open a ticket with Support, enter this required information:
    • A username that is registered with SolarWinds
    • Management FQDN
    • If you are on cloud-based management, link to the alert of the detection:

    Open the detection in the Incident details page, and send the URL. It will be similar to:
    https://yourco.sentinelone.net/analyze/threats/#############/overview

  4. If possible, provide Support with a copy of the software
    • This can be critical for the analysis of detections that are blocked in the pre-execution stage.

To use all path exclusions correctly, make sure to see Best Practices for Exclusions