'Runs Malicious File By Reputation Service' alert generated on known good file
What's the best way to deal with supposed malicious files generating alerts for files that NW thinks is malicious but is not.
As one example, we keep getting alerts for MobaXterm, I'd like to know for these files that we determine are not malicious how to handle them.
|Timestamp||09/07/2021 04:31:13.000 pm 26 minutes ago|
The best option for both this and your Outbound from Unsigned AppData Directory question will be to adjust the app rule on the log decoder that is source of the alert.
In the log decoder config menu find the "malicious file by reputation service" rules (there 3):
....and add the meta for your known-good apps/processes to these. Using your mobaxterm details as an example, you could add:
&& (not(dir.path.src='C:\Program Files (x86)\Mobatek\MobaXterm\' && filename.src='MobaXterm.exe' && param.src='MobaXterm.exe'))
Note that I am purposefully excluding the sha256 value here, as that will change after any upgrade to mobaxterm.
Thinking about this a bit more, I'm almost positive that there are going to be more files that I'll need to exclude from this rule. Would creating an apprule above these rules that creates temporal meta and then specifying that meta key in the endpoint rule as the not statement.
Then I don't need to mess with the endpoint rule anymore than I have to and then just add all the excluded exes in the rule above it.
That is absolutely a valid solution. Depending on how many files you end up whitelisting, you may eventually want to create a handful of app rules to keep them from being to large/complex.