Tips & Tricks: Reporting VirusTotal False Positives

1 Likes

Dear community member,

Our threat Intelligence solutions are integrated with VirusTotal's portal. When you find an asset you are responsible for reporting malware or malicious activity, you can trigger a false positive reporting process implemented on the particular vendor's side.

To trigger that process for false-positive verdicts from "ArcSight Threat Intelligence", you need to write an email to

Our team works on that mailbox and takes reports first-in-first-out to verify the validity of the verdict on VirusTotal.

For the team to efficiently work on the process, we need details on WHAT was reported as malicious. Here are some examples:

Special note on IP addresses:

If you are NOT the exclusive owner of an IP address reported malicious (shared hosting environments), then we often cannot do much as any of the hosted entities on that IP address could be the root cause for the report. At the same time, we cannot change the verdict for one entity, if other entities on the same IP still having the issue.

So ideally, if you report an IP address, you let us know whether the address is shared and what domains it resolves to. Our analyst team will repeat that, but DNS resolution changes over time, and we would rather have first-hand information from you AND our analyst team than probably dated information from only our analyst team.

We hope you find this information helpful.

MS

Labels:

How To-Best Practice
Support Tips/Knowledge Docs
Related
Recommended