Troubleshoot False Positive File Analysis Events in Cisco Secure Endpoint

Available Languages

Download Options

  • PDF     (1.5 MB)
    View with Adobe Reader on a variety of devices
  • ePub     (1.7 MB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (640.4 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:May 25, 2020
Document ID:215993

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to collect a False Positive file analysis in Cisco Secure Endpoint.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of the Secure Endpoint Console dashboard.

    Components Used

    The information in this document is based on Secure Endpoint version 7. X.X and later.

    Note: An account with administrator privileges is needed.

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Background Information

    Secure Endpoints can generate excessive alerts on a certain file/process/Secure Hash Algorithm (SHA) 256. If you suspect any False Positive detections in your network, you can contact the Cisco Technical Assistance Center (TAC), and the Diagnostic Team proceeds to do a deeper file analysis. When you contact Cisco TAC, you need to provide this information:


    • File SHA 256 hash
    • File sample copy
    • Alert Event capture from Secure Endpoint Console
    • Event Details captured from Secure Endpoint Console
    • Information about the file (where it came from and why it needs to be in the environment)
    • Explain why you believe the file/process can be a false positive

    Cisco always strives to improve and expand the threat intelligence for Secure Endpoint technology, however, if your Secure Endpoint solution triggers an alert erroneously, you can take some actions in order to prevent any further impact to your environment. This document provides a guideline to get all required details to open a case with Cisco TAC with regards to a False Positive issue. Based on the Diagnostic Team file analysis, the file disposition can change to stop the Alert Events triggered on Secure Endpoint Console or Cisco TAC can provide the proper fix to let run the file/process without issues in your environment.

    Troubleshoot False Positive File Analysis in Secure Endpoint

    This section provides the information you can use to get all details needed to open a False Positive ticket with Cisco TAC.

    1. File SHA 256 Hash

    Step 1. In order to get the SHA 256 hash, navigate toSecure Endpoint Console > Dashboard > Events.


    Step 2. Select theAlert Event andclick on theSHA256and selectCopyas shown in the image.

    imagen 1

    2. File Sample Copy

    Step 1. You can get the file sample from Secure Endpoint Console, navigate toSecure Endpoint Console > Dashboard > Events.


    Step 2. Select theAlert Event , click on theSHA256and navigate toFile Fetch > Fetch Fileas shown in the image.

    file fetch_ok

    Step 3. Select the device where the file was detected and click onFetchas shown in the image.

    3-step3

    Note: Device must be ON, in order to get the sample file successfully.

    Step 4. You receive the messageas shown in the image.

    4-Step 4

    After a few minutes, you receive an email notification when the file is available to download as shown in the image.

    5-After some minutes

    Step 5. Navigate to Secure Endpoint Console > Analysis > File Repositoryand selectDownloadas shown in the image.

    6 es el step 5

    Step 6. A notification box appears, click on Download, as shown in the image, and the file is downloaded as a ZIP file.

    11 warning

    3. Alert Event Capture from Secure Endpoint Console

    Step 1. Navigate toSecure Endpoint Console > Dashboard > Events.


    Step 2. Select theAlert Eventand take the capture as shown in the image.

    8 Step2 alert event

    4. Event Details Capture from Secure Endpoint Console

    Step 1. Navigate toSecure Endpoint Console > Dashboard > Events.


    Step 2. Select the Alert Event and click onDevice Trajectorythe option as shown in the image.

    9 Step2 device trajectory

    It redirects toDevice Trajectorydetails as shown in the image.

    10-It redirects

    Step 3. Take a capture ofEvent Detailsbox as shown in the image.

    11-take a capture

    Step 4. If it is necessary, scroll down and take some captures to get all Event Details information as shown in the image.

    11-step4 if it is


    5. Information About the File

    • Information about where the file came from
    • If the file comes from a website, share the web URL 
    • Share a little file description and explain the file function

    6. Explanation

    • Why do you believe that the file process can be a false positive? 
    • Share the reasons you trust the file.

    Provide Information

    Revision History

    Revision Publish Date Comments
    1.0
    02-Sep-2020
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Jesus Javier Martinez
      Cisco TAC Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products