In this installment of the Tips and Insights series, Nate Hancock explains false negatives may indicate a threat inside your network. Identifying and reporting them can resolve these issues, and gathering the appropriate information can expedite the resolution process.
Hi my name is Nate Hancock and I am a Support Engineer at FireEye. False negatives may indicate a threat inside your network. Identifying and reporting them can resolve these issues and gathering the appropriate information can expedite the resolution process. Occasionally when you’re looking at emails or when one of your end users reports that they received an email that might be malicious there may come a time when you need to submit a request to investigate a false negative; why an email was passed as clean when actually it may have contained malware. The first thing we’re going to look at is if we come in here and look at these emails. Let’s say we find the email that was passed is clean that we suspect was malicious. We can come in here and look. The first thing we can see is there’s not a lot of information here. There’s nothing to download. There’s no email attached to this There’s no md5. There are no URL’s depending on what information that email contained. There’s nothing in the original email and this is by design. The EX isn’t designed a story email and so it only saves emails if that particular email was flagged as malicious. So when it is not flagged as malicious there’s some information that we can gather and submit to FireEye Support when you open a ticket to have this investigated further. The first thing you’re going to want to obtain if at all possible, is a copy of the original email. Now again that’s not stored on the EX appliance and you would have to get that from your email server depending on what the storage situation is there. Or if it was actually delivered to the end user, you could get a copy from that end user workstation. Now if they forwarded the email to you, it’s better to get the original email and not the forwarded copy because once it’s forwarded the headers change in the information in that email change. There is some information that you can gather for this. If there was an attachment and you can get a copy of the attachment but maybe not the original email that’s helpful. If you can get the md5 sum that’s also helpful. Or any URL’s that were contained in that email. Also helpful especially if that’s a phishing attack. However if we don’t have the original e-mail it’s going to make it much more difficult to find a long term resolution and create detection rules for a long term resolution for that particular threat. Once we’re logged into the command line there is some information that we can capture that can help with the identification of this potential risk. The first thing we’re going to look at is the show version. Show version gives us the software version of the EX appliance. It also gives us the security content version. We’re also going to want to gather the guest image version. Make sure the guest images are up to date and then there’s one other command that we can look at that can be very useful in determining why this may have missed. And this is to identify any configuration issues. So for example if we come in here and notice the analyze URL’s in body is for some reason turned off or the attachments is turned off or advanced URL detection is turned off. Those can all be indicators of why this was potentially missed. Once you run this command copy this output to a text file or export it as a text file depending on on which SSH utility you’re using. For example putty is one that that you can record the output of commands and then just export simply as a text file’ Attach that to the case as well with the original email. And chances are pretty good that we can perform a successful analysis and get this resolved as quickly as possible. That is how you gather relevant information to include in your support case for reporting false negatives. Thanks for watching and stay tuned for more FireEye tips and insights.