Manage False Positives
Occasionally, Cybereason will trigger MalOps for items or behaviors that are benign in your environment. After you analyze the MalOp and determine that the cause is benign, you can consider this MalOp a false positive and proceed accordingly.
Cybereason strongly recommends that you address false positives using the methods presented in this topic to ensure that the Cybereason platform does not generate MalOps for the same behavior in the future. This action frees your analysts to focus on confirmed malicious results.
In this topic:
Exclude a MalOp during the remediation phase
If, during the remediation process, you determine that a MalOp is benign in your environment, if the root cause of the MalOp is a malicious file hash, IP, or domain, you can instruct the Cybereason platform to not trigger the same MalOp in the future with the Exclude option.
To exclude a MalOp during the remediation process, follow these steps:
Navigate to the Respond to Malop window:
Environment type
Steps
Environments with the Data Platform Infrastructure
Do one of the following:
In the Malops management screen, in the MalOps grid, select a MalOp and above the MalOps list, click Exclude
In the MalOp details screen, click Exclude.
Environments without the Data Platform Infrastructure
Do one of the following:
From the Malops management screen, select the appropriate MalOp and click Respond.
From the Malop details screen, select Respond in the upper right corner. For Endpoint Protection MalOps, you can also click Exclude directly from this screen.
Then, in the Respond to Malop window, select Malop is benign - Exclude. The Exclude Malop window appears.
You will be given one or both of the following options, depending on the MalOp:
Versions 23.2.24 and earlier:
Option
Description
Add root cause to allowlist
The Cybereason platform will add the hash, IP, process, module, or domain to the allowlist.
Create behavioral allowlist rule
Directs you to the Behavioral allowlisting screen to build a behavioral allowlisting rule for the behavior represented in this MalOp.
Set investigation status to Closed
Automatically closes the MalOp.
Versions 23.2.40 and later:
Option
Description
Set as false positive and stop future recurrences
Notes that the MalOp and its root causes are noted as a false positive malicious behavior. The Cybereason platform will note this and prevent future instances of this same type of MalOp.
Set as false positive only
Notes that the MalOp and its root causes are noted as a false positive malicious behavior.
Unquarantine files
Remove files from quarantine. This option is available for Anti-Malware > Signatures-generated MalOps only, from version 23.2.12x and higher (contact Support to enable this feature).
Send file for analysis
Report false positives to Cybereason for analysis, to help us improve our detection accuracy and reduce false positives. Upload the file here. The file hash will be added to your Reputation > Allowlist. This option is available for Anti-Malware > Signatures- generated MalOps only from version 23.2.12x and higher (contact Support to enable this feature).
BAL rule
This option displays only if you select the Set as false positive and stop future recurrences option. This option is also only available for AI Hunting MalOps.
Directs you to the Behavioral Allowlisting screen to create a behavioral allowlisting rule for the MalOp behavior.
If needed, for AI Hunting MalOps, the Set option to option, select the root cause of the MalOp to automatically populate the root cause for your behavioral allowlisting rule.
For Endpoint Protection MalOps, the Cybereason platform automatically selects the root caue for the Set option to field. You cannot modify this field.
Reputation list
This option is also only available for AI Hunting MalOps.
Adds the identifier (file hash, IP address, or domain name) for the root cause in your environment’s allowlist.
When the Cybereason platform adds this reputation the allowlist, the reputation displays Excluded by <user> in the description column for the item.
Set investigation status to Closed/Close MalOp after exclusion
Automatically closes the MalOp.
The Cybereason platform selects this option by default.
Click Exclude. A confirmation screen appears. Click Done to close the dialog box.
If you selected the option to add a behavioral allowlisting rule, the Behavioral Allowlisting screen opens.
Excluded MalOps are marked as Excluded in the Malops management screen.
If you later reopen the MalOp for further investigation, the actions you applied in the steps above are reversed. For example, if you set an Excluded MalOp to Reopened, if you selected to add the item to your environment’s allowlist, when the MalOp is reopened, the item is removed from the allowlist.
Report false positives
You can report false positives from the options menu (the three dots) at the top-right of the MalOp Details screen. This helps Cybereason improve our detection accuracy and reduces false positives in the future. This feature is available for Anti-Malware > Signatures-generated MalOps from version 23.2.12x and higher.
From the top-right options menu, click Report file for analysis.
Upload the file and click Report File. You can load files up to 20 MB.
You can also report false positives from the Exclude screen (see above).
After the file is submitted, a success message appears at the bottom of the screen, with a link to the support case that was created on the Nest. Please note that the case will be visible after a few minutes delay.
Update reputations for items associated with MalOps
You can manually add items to your organization’s allowlist, or build behavioral allowlisting rules to prevent certain behaviors from triggering MalOps.
For files, domains, IP addresses, processes, and modules associated with a false positive MalOp, you can add these items to your organization’s allowlist. Once the items are on the allowlist, the Cybereason platform will not generate MalOps for these items. For details, see Manage Reputations.
Manually add behavioral allowlisting rules for behaviors in the MalOp
When you create a behavioral allowlist rule, you explicitly instruct the Cybereason platform to not generate a MalOp for the specific behavior in the rule. For each false positive result or for scenarios in which you see numerous false positive results, you should create behavioral allowlist rules. For details, see Manage Behavioral Allowlisting Rules.
Adjust Anti-Malware sensitivity
If you find a large number of false positive Endpoint Protection MalOps, you may want to adjust your Anti-Malware settings to a less aggressive setting. For details, see Set the Anti-Malware Modes.