Gathering Information to Report False Positives

In this installment of the Tips and Insights series, Nate Hancock demonstrates how to gather information for reporting a false positive to FireEye Support.

Hi. My name is Nate Hancock and I am a Support Engineer at FireEye. Today we are going to demonstrate how to gather information for reporting a false positive to FireEye support. This will expedite the process of resolving false positives. When looking at alerts in your environment, you may come across an alert that you don’t feel is necessarily malicious. When you go in to look at the alert details. And for whatever reason, maybe you recognize the md5 or the object that’s archived here or the URL and feel like this may not be malicious. There’s some information that you can gather and send to FireEye support to help speed this to a faster resolution. These are all things will probably be requested anyway. And if you can provide these things up front it can save a lot of time for you and for the support engineer. The first thing we’re going to want to gather is the XML. Now the XML that we download contains all of the information that’s in these alert details. It contains the OS change report. The md5 sum. Any URLs that are in the alert and their redirection. As well as a description of why this was flagged as malicious. We’ll go ahead and save that. The next items are going to be these pcaps. These pcaps are also very, very useful in seeing exactly what that traffic is and what it did. And this could be useful in determining whether or not this is malicious. The next thing you’re going to want to download is the archived object. Now, this is in a ZIP file. This is the actual file. Depending on the alert and the alert type, it may or may not have an object. Or this is the file that was flagged in association with this alert. So be very careful that even though you suspect that this might not be malicious, it so could contain malware. So be very careful downloading these. We’ll download this to this location. And once we have all of that, we’re also going to gather some additional information from the command line in just a moment.

But we can go in and we can either zip the files that we have in here now that we just downloaded, and then we can put those into a single ZIP folder. It’s always a good idea before sending this anywhere before sending it to your security team for analysis or before sending it to FireEye that we also password protect that. And the process for doing that can vary depending on the platform. But it’s a good idea to add a password. If you add the password infected, I N F E C T E D to that archive. That’s one that FireEye uses all the time and we can analyse the malware that way more quickly. Or if you choose a different password, please provide the password in the case notes when you attach that to the case. So the next thing we’re going to look at is we want to look at the command line and there’s some information that we need to gather here. The first thing we’re going to gather is the output of the show version command. This gives us the model number. It also gives us the software number that’s currently on this appliance. And it also gives us the security content version. And this gives us versioning that we can use to verify whether or not everything is up to date. The next thing we want to know is the version of the guest images. So if we do show guest images that gives us a version of all of the guest images on this appliance.

The next item we’re going to want to gather is a debug command.

And again, this will give us some versioning information.

The thing we’re going to look at is the show submission md5 sum with the md5 attached. When we run that command, it gives us information based on the alert that fired for that md5 sum. This information is also good. It shows us where that was detected but it also gives us the job id. Which is going to lead to the next command.

Which is another debug command, which is a hidden command so you won’t be able to tab complete it. And then we’re going to take this job id here. The one eight six seven zero.

And run that on the job id. And this gives us all of the information for that particular file and why that was flagged. Now if this was a web based infection, you won’t have the md5 sum. You may not have a file attached to that and so this part wouldn’t exist. But if there’s a file involved, this gives us exactly the reason why that was flagged as malicious and why it generated in alert.

That should give you some insight on how to gather information relevant to reporting false positives. FireEye tips and insights.

Scroll to Top