Introduction
This document describes how to collect a False Positive file analysis in Cisco Secure Endpoint.
Prerequisites
Requirements
Cisco recommends that you have knowledge of the Secure Endpoint Console dashboard.
Components Used
The information in this document is based on Secure Endpoint version 7. X.X and later.
Note: An account with administrator privileges is needed.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Background Information
Secure Endpoints can generate excessive alerts on a certain file/process/Secure Hash Algorithm (SHA) 256. If you suspect any False Positive detections in your network, you can contact the Cisco Technical Assistance Center (TAC), and the Diagnostic Team proceeds to do a deeper file analysis. When you contact Cisco TAC, you need to provide this information:
• File SHA 256 hash
• File sample copy
• Alert Event capture from Secure Endpoint Console
• Event Details captured from Secure Endpoint Console
• Information about the file (where it came from and why it needs to be in the environment)
• Explain why you believe the file/process can be a false positive
Cisco always strives to improve and expand the threat intelligence for Secure Endpoint technology, however, if your Secure Endpoint solution triggers an alert erroneously, you can take some actions in order to prevent any further impact to your environment. This document provides a guideline to get all required details to open a case with Cisco TAC with regards to a False Positive issue. Based on the Diagnostic Team file analysis, the file disposition can change to stop the Alert Events triggered on Secure Endpoint Console or Cisco TAC can provide the proper fix to let run the file/process without issues in your environment.
Troubleshoot False Positive File Analysis in Secure Endpoint
This section provides the information you can use to get all details needed to open a False Positive ticket with Cisco TAC.
1. File SHA 256 Hash
Step 1. In order to get the SHA 256 hash, navigate toSecure Endpoint Console > Dashboard > Events.
Step 2. Select theAlert Event
and
click on theSHA256
and selectCopy
as shown in the image.
2. File Sample Copy
Step 1. You can get the file sample from Secure Endpoint Console, navigate toSecure Endpoint Console > Dashboard > Events.
Step 2. Select theAlert Event
, click on theSHA256
and navigate toFile Fetch > Fetch File
as shown in the image.
Step 3. Select the device where the file was detected and click onFetch
as shown in the image.
Note: Device must be ON, in order to get the sample file successfully.
Step 4. You receive the messageas shown in the image.
After a few minutes, you receive an email notification when the file is available to download as shown in the image.
Step 5. Navigate to Secure Endpoint Console > Analysis > File Repository
and selectDownload
as shown in the image.
Step 6. A notification box appears, click on Download, as shown in the image, and the file is downloaded as a ZIP file.
3. Alert Event Capture from Secure Endpoint Console
Step 1. Navigate toSecure Endpoint Console > Dashboard > Events.
Step 2. Select theAlert Event
and take the capture as shown in the image.
4. Event Details Capture from Secure Endpoint Console
Step 1. Navigate toSecure Endpoint Console > Dashboard > Events.
Step 2. Select the Alert Event and click onDevice Trajectorythe
option as shown in the image.
It redirects toDevice Trajectory
details as shown in the image.
Step 3. Take a capture ofEvent Details
box as shown in the image.
Step 4. If it is necessary, scroll down and take some captures to get all Event Details information as shown in the image.
5. Information About the File
- Information about where the file came from
- If the file comes from a website, share the web URL
- Share a little file description and explain the file function
6. Explanation
- Why do you believe that the file process can be a false positive?
- Share the reasons you trust the file.
Provide Information