Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SkyATP] Creating a temporary workaround for False Positives

0

0

Article ID: KB34034 KB Last Updated: 31 Dec 2020Version: 3.0
Summary:

Sometimes, Sky ATP analysis may designate a file with a high Threat Level verdict based on internal mechanisms. However, some files that are given a high Threat Level verdict may be incorrect and therefore, would be designated by the customer as a False Positive.

Depending on the configuration of Sky ATP on the customer's SRX device, this may result in clients being unable to access the internet because they have been added to the Infected Hosts list.

This article articles gives a workaround that can be implemented while the False Positive is being analyzed.

 

Symptoms:

Clients may be unable to access the internet.

 

Solution:

This method is a temporary workaround while the Sky ATP Development team analyzes the False Positive reported (per the process shown below).

Locate the file that Sky ATP has designated with a high Threat Level verdict on the Sky ATP Portal > Monitoring > File Scanning > HTTP File Downloads.

Use the following process to report the False Positive and collect additional details related to the file:

  • Select the file from the HTTP File Downloads List.

  • Report the False Positive.

    • Create a note to describe why it is believed that the file is a False Positive.

    • Click OK to report to the Sky ATP Development team.

    • A message indicating that a False Positive Report has been submitted is displayed.

  • Under Other Details, locate the sha256 value.

  • Copy the sha256 value to a Text Editor.

  • Save the file.

 

To create and upload the file, perform the following steps:

Navigate to Configure > Whitelists > Hash File.

  • Select the "Select Hash File Items Upload Option."

  • Select one of the following:

    • Replace current list

    • Merge with current list

    • Delete from current list

  • Browse to the file location where the user saved the sha256 value of the reported False Positive.

  • Click OK.

Depending on the option selected, the Hash list is either replaced, merged, or deleted.

When this is complete, an allowlist is created in Sky ATP and sent down to the SRX device that is enrolled in Sky ATP as a new Security Intelligence value.

For more information about allowlists and blocklists, refer to Allowlist and Blocklist Overview.

 

Modification History:
2020-12-31:‚Äč Replaced words that failed to represent the inclusion and diversity Juniper values
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search