Manage False Positives
Occasionally, Cybereason will trigger MalOps for items or behaviors that are benign in your environment. After you analyze the MalOp and determine that the cause is benign, you can consider this MalOp a false positive and proceed accordingly.
Cybereason strongly recommends that you address false positives using the methods presented in this topic to ensure that the Cybereason platform does not generate MalOps for the same behavior in the future. This action frees your analysts to focus on confirmed malicious results.
In this topic:
Exclude a MalOp during the remediation phase
If, during the remediation process, you determine that a MalOp is benign in your environment, if the root cause of the MalOp is a malicious file hash, IP, or domain, you can instruct the Cybereason platform to not trigger the same MalOp in the future with the Exclude option.
To exclude a MalOp during the remediation process, follow these steps:
Navigate to the Respond to Malop window:
Environment type
Steps
Environments with the Data Platform Infrastructure
Do one of the following:
In the Malops management screen, in the MalOps grid, select a MalOp and above the MalOps list, click Exclude
In the MalOp details screen, click Exclude.
Environments without the Data Platform Infrastructure
Do one of the following:
From the Malops management screen, select the appropriate MalOp and click Respond.
From the Malop details screen, select Respond in the upper right corner. For Endpoint Protection MalOps, you can also click Exclude directly from this screen.
Then, in the Respond to Malop window, select Malop is benign - Exclude. The Exclude Malop window appears.
You will be given one or both of the following options, depending on the MalOp:
Versions 23.2.24 and earlier:
Option
Description
Add root cause to allowlist
The Cybereason platform will add the hash, IP, process, module, or domain to the allowlist.
Create behavioral allowlist rule
Directs you to the Behavioral allowlisting screen to build a behavioral allowlisting rule for the behavior represented in this MalOp.
Set investigation status to Closed
Automatically closes the MalOp.
Versions 23.2.40 and later:
Option
Description
Set as false positive and stop future recurrences
Notes that the MalOp and its root causes are noted as a false positive malicious behavior. The Cybereason platform will note this and prevent future instances of this same type of MalOp.
Set as false positive only
Notes that the MalOp and its root causes are noted as a false positive malicious behavior.
BAL rule
This option displays only if you select the Set as false positive and stop future recurrences option. This option is also only available for AI Hunting MalOps.
Directs you to the Behavioral Allowlisting screen to create a behavioral allowlisting rule for the MalOp behavior.
If needed, for AI Hunting MalOps, the Set option to option, select the root cause of the MalOp to automatically populate the root cause for your behavioral allowlisting rule.
For Endpoint Protection MalOps, the Cybereason platform automatically selects the root caue for the Set option to field. You cannot modify this field.
Reputation list
This option is also only available for AI Hunting MalOps.
Adds the identifier (file hash, IP address, or domain name) for the root cause in your environment’s allowlist.
When the Cybereason platform adds this reputation the allowlist, the reputation displays Excluded by <user> in the description column for the item.
Set investigation status to Closed
Automatically closes the MalOp.
The Cybereason platform selects this option by default.
Click Exclude. A confirmation screen appears. Click Done to close the dialog box.
If you selected the option to add a behavioral allowlisting rule, the Behavioral Allowlisting screen opens.
Excluded MalOps are marked as Excluded in the Malops management screen.
If you later reopen the MalOp for further investigation, the actions you applied in the steps above are reversed. For example, if you set an Excluded MalOp to Reopened, if you selected to add the item to your environment’s allowlist, when the MalOp is reopened, the item is removed from the allowlist.
Update reputations for items associated with MalOps
You can manually add items to your organization’s allowlist, or build behavioral allowlisting rules to prevent certain behaviors from triggering MalOps.
For files, domains, IP addresses, processes, and modules associated with a false positive MalOp, you can add these items to your organization’s allowlist. Once the items are on the allowlist, the Cybereason platform will not generate MalOps for these items. For details, see Manage Reputations.
Manually add behavioral allowlisting rules for behaviors in the MalOp
When you create a behavioral allowlist rule, you explicitly instruct the Cybereason platform to not generate a MalOp for the specific behavior in the rule. For each false positive result or for scenarios in which you see numerous false positive results, you should create behavioral allowlist rules. For details, see Manage Behavioral Allowlisting Rules.
Adjust Anti-Malware sensitivity
If you find a large number of false positive Endpoint Protection MalOps, you may want to adjust your Anti-Malware settings to a less aggressive setting. For details, see Set the Anti-Malware Modes.