Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
393
Views
0
Helpful
1
Replies

How can you distinguish a 'false positive'?

saidfrh
Level 1
Level 1

‎09-17-2008 07:36 AM - edited ‎03-10-2019 04:17 AM

The IPS generated an alert, SMB Remote Registry Access Attempt. How to investigate the alert? I ran a couple of spyware programs on the host and found some cookies-generaly clean. At what point is the alert resigned as a false positive?

“Triggers when a client attempts to access the registry on the Windows server. Microsoft tools like REGEDIT provide the ability to access a servers registry over the network. There are several hacking tools that also provide similar capabilities. Every attempted access will cause an alarm to be sent. An attacker can cause serious damage to a computer system by changing the registry.”

appInstanceId: 403

signature: description=SMB Remote Registry Access Attempt id=5579 version=S264

subsigId: 1

marsCategory: Probe/Host/WinRegistry

Labels:
0 Helpful
1 Reply 1

mhellman
Level 7
Level 7

‎09-17-2008 08:49 AM

You should start by looking for documented benign triggers:

https://intellishield.cisco.com/security/alertmanager/ipsSignature?signatureId=5579&signatureSubId=0

In this case, the benign triggers should tell you what you need to know.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card