https://community.cisco.com/t5/network-security/ips-false-positives-on-malware-signatures/m-p/4289178#M1078329 Hi,<BR /><BR />I think you need to have some best practices in place to reduce the amount<BR />of false positives.<BR /><BR />1. Make sure that you have a list of whitelisted URL that you don't need to<BR />do any inspection on. This includes microsoft, apple, cisco, adobe, eset,<BR />vmware, oracle, etc. These are trusted vendors and there is no point in<BR />inspecting their traffic<BR />2. Have a list of whitelisted SSL sites that don't need decryption (similar<BR />to the one above).<BR />3. Have a list of trusted apps basically a combination if high business<BR />relevance with low risk<BR />4. Ensure that you have IAB configured for better inspection performance.<BR /><BR /><BR />These relevant to your query. There are others related to each feature such<BR />as File Policy, IPS, DNS, Identity, etc.<BR /><BR />****** please remember to rate useful posts<BR /> Wed, 10 Feb 2021 06:02:29 GMT Mohammed al Baqari 2021-02-10T06:02:29Z https://community.cisco.com/t5/network-security/ips-false-positives-on-malware-signatures/m-p/4288832#M1078309 <P>Dear community,</P><P>we have recently noticed several false positives on our IPS based on Firepower Managment Center, in particular signatures:</P><P>&nbsp;</P><TABLE><TBODY><TR><TD>MALWARE-OTHER Win.Trojan.FANCYBEAR variant binary download attempt (1:56933:1)</TD></TR><TR><TD>MALWARE-OTHER Win.Malware.Ursu-9821797-0 download attempt (1:56912:1)</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>both of them seems to have legit traffic to Adobe.com or Eset.com. Why are detected as malware? Is there some additional tuning to do on our side?</P><P>Any ideas are welcome. Thank you!</P><P>R</P> Tue, 09 Feb 2021 17:10:19 GMT https://community.cisco.com/t5/network-security/ips-false-positives-on-malware-signatures/m-p/4288832#M1078309 rick11 2021-02-09T17:10:19Z https://community.cisco.com/t5/network-security/ips-false-positives-on-malware-signatures/m-p/4289178#M1078329 Hi,<BR /><BR />I think you need to have some best practices in place to reduce the amount<BR />of false positives.<BR /><BR />1. Make sure that you have a list of whitelisted URL that you don't need to<BR />do any inspection on. This includes microsoft, apple, cisco, adobe, eset,<BR />vmware, oracle, etc. These are trusted vendors and there is no point in<BR />inspecting their traffic<BR />2. Have a list of whitelisted SSL sites that don't need decryption (similar<BR />to the one above).<BR />3. Have a list of trusted apps basically a combination if high business<BR />relevance with low risk<BR />4. Ensure that you have IAB configured for better inspection performance.<BR /><BR /><BR />These relevant to your query. There are others related to each feature such<BR />as File Policy, IPS, DNS, Identity, etc.<BR /><BR />****** please remember to rate useful posts<BR /> Wed, 10 Feb 2021 06:02:29 GMT https://community.cisco.com/t5/network-security/ips-false-positives-on-malware-signatures/m-p/4289178#M1078329 Mohammed al Baqari 2021-02-10T06:02:29Z https://community.cisco.com/t5/network-security/ips-false-positives-on-malware-signatures/m-p/4289418#M1078355 <P>Hello Mohammed,</P><P>we don't have SSL ispection for legal reasons. The idea to create a whitelist make sense and we can try to implement. I guess this is part of the URL filtering in the policy.</P><P>R</P> Wed, 10 Feb 2021 14:17:30 GMT https://community.cisco.com/t5/network-security/ips-false-positives-on-malware-signatures/m-p/4289418#M1078355 rick11 2021-02-10T14:17:30Z https://community.cisco.com/t5/network-security/ips-false-positives-on-malware-signatures/m-p/4289431#M1078357 Yes it is part of url filtering.<BR /> Wed, 10 Feb 2021 14:53:19 GMT https://community.cisco.com/t5/network-security/ips-false-positives-on-malware-signatures/m-p/4289431#M1078357 Mohammed al Baqari 2021-02-10T14:53:19Z