Re: IPS False positives on Malware signatures

rick11 · ‎02-09-2021

Dear community,

we have recently noticed several false positives on our IPS based on Firepower Managment Center, in particular signatures:

MALWARE-OTHER Win.Trojan.FANCYBEAR variant binary download attempt (1:56933:1)

MALWARE-OTHER Win.Malware.Ursu-9821797-0 download attempt (1:56912:1)

both of them seems to have legit traffic to Adobe.com or Eset.com. Why are detected as malware? Is there some additional tuning to do on our side?

Any ideas are welcome. Thank you!

R

Mohammed al Baqari · ‎02-09-2021

Hi,

I think you need to have some best practices in place to reduce the amount
of false positives.

1. Make sure that you have a list of whitelisted URL that you don't need to
do any inspection on. This includes microsoft, apple, cisco, adobe, eset,
vmware, oracle, etc. These are trusted vendors and there is no point in
inspecting their traffic
2. Have a list of whitelisted SSL sites that don't need decryption (similar
to the one above).
3. Have a list of trusted apps basically a combination if high business
relevance with low risk
4. Ensure that you have IAB configured for better inspection performance.

These relevant to your query. There are others related to each feature such
as File Policy, IPS, DNS, Identity, etc.

****** please remember to rate useful posts

rick11 · ‎02-10-2021

Hello Mohammed,

we don't have SSL ispection for legal reasons. The idea to create a whitelist make sense and we can try to implement. I guess this is part of the URL filtering in the policy.

R

Mohammed al Baqari · ‎02-10-2021

Yes it is part of url filtering.