This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

'Runs Malicious File By Reputation Service' alert generated on known good file

Anonymous
Not applicable

‎2021-07-09 03:00 AM

What's the best way to deal with supposed malicious files generating alerts for files that NW thinks is malicious but is not.

As one example, we keep getting alerts for MobaXterm, I'd like to know for these files that we determine are not malicious how to handle them.

Timestamp 09/07/2021 04:31:13.000 pm 26 minutes ago
Type Endpoint
Source
Path C:\Program Files (x86)\Mobatek\MobaXterm\
File Sha256 d59195282afc64d483ad180f9f95482834cc73c6a2fb66878fa3163df6b94827
Filename MobaXterm.exe
Launch Argument MobaXterm.exe
0 Likes
3 REPLIES 3

JoshRandall
Valued Contributor Valued Contributor
Valued Contributor

‎2021-07-09 11:14 AM

@Anonymous 

The best option for both this and your Outbound from Unsigned AppData Directory question will be to adjust the app rule on the log decoder that is source of the alert.

In the log decoder config menu find the "malicious file by reputation service" rules (there 3):

JoshRandall_0-1625843060633.png

....and add the meta for your known-good apps/processes to these. Using your mobaxterm details as an example, you could add:

&& (not(dir.path.src='C:\Program Files (x86)\Mobatek\MobaXterm\' && filename.src='MobaXterm.exe' && param.src='MobaXterm.exe'))

JoshRandall_1-1625843421322.png

Note that I am purposefully excluding the sha256 value here, as that will change after any upgrade to mobaxterm.


Mr. Mongo
0 Likes

Anonymous
Not applicable
In response to JoshRandall

‎2021-07-10 03:05 AM

Thanks.

Thinking about this a bit more, I'm almost positive that there are going to be more files that I'll need to exclude from this rule. Would creating an apprule above these rules that creates temporal meta and then specifying that meta key in the endpoint rule as the not statement.

Then I don't need to mess with the endpoint rule anymore than I have to and then just add all the excluded exes in the rule above it.

JoshRandall
Valued Contributor Valued Contributor
Valued Contributor

‎2021-07-12 12:00 PM

@Anonymous 

That is absolutely a valid solution. Depending on how many files you end up whitelisting, you may eventually want to create a handful of app rules to keep them from being to large/complex.


Mr. Mongo
0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.