Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

How can you distinguish a 'false positive'?

The IPS generated an alert, SMB Remote Registry Access Attempt. How to investigate the alert? I ran a couple of spyware programs on the host and found some cookies-generaly clean. At what point is the alert resigned as a false positive?

“Triggers when a client attempts to access the registry on the Windows server. Microsoft tools like REGEDIT provide the ability to access a servers registry over the network. There are several hacking tools that also provide similar capabilities. Every attempted access will cause an alarm to be sent. An attacker can cause serious damage to a computer system by changing the registry.”

appInstanceId: 403

signature: description=SMB Remote Registry Access Attempt id=5579 version=S264

subsigId: 1

marsCategory: Probe/Host/WinRegistry

1 REPLY
Gold

Re: How can you distinguish a 'false positive'?

You should start by looking for documented benign triggers:

https://intellishield.cisco.com/security/alertmanager/ipsSignature?signatureId=5579&signatureSubId=0

In this case, the benign triggers should tell you what you need to know.

144
Views
0
Helpful
1
Replies
CreatePlease to create content