This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Does RSA SA FirstWatch have false positives?

RSAAdmin
Beginner
Beginner

‎2014-12-15 01:18 PM

We are a multi-national country with US being our headquarters, we are trying to determine if we are seeing false positives from First Watch or is there a real issue for concern. 

 

Since this site is considered a web service in China  - www.baidu.com but is showing up under FirstWatch - C2 -ip

 

Thanks

1 REPLY 1

Anonymous
Not applicable

‎2014-12-16 09:07 AM

From all threat sources generally they are not going to be false positives but just more information to add to alerts you can make to be real or false. 

 

From what I have seen in our environment maybe www.baidu.com is hosted on a bad IP/load balancer but it is actually only affected on port 8080 and not 443.  So if you see any traffic to that IP that is not considered normal, than maybe you have an issue. 

 

You will find this a lot with urls such as dl.dropbox.com.  Almost all threat sources are going to see that as a malicious top level domain.  But really it is just one file hosted on it.  Maybe you want to investigate into this and make sure you are not visiting those sites but likely don't want to block dropbox completely because of it. 

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.