article 规则名称为 &quot;bioc.vulnerable_driver_dropped_$name &quot;的BTP警报是否为假阳性检测? in 配置和实施 https://live.paloaltonetworks.com/t5/%E9%85%8D%E7%BD%AE%E5%92%8C%E5%AE%9E%E6%96%BD/%E8%A7%84%E5%88%99%E5%90%8D%E7%A7%B0%E4%B8%BA-quot-bioc-vulnerable-driver-dropped-name-quot/ta-p/527697 <DIV class="lia-message-template-content-zone"> <P>总结:</P> <P>这篇文章描述了BTP警报的情况,它的规则名称如下。<BR />bioc.vulnerable_driver_dropped_$name<BR />bioc.sync.vulnerable_driver_loaded_$name<BR />bioc.sync.vulnerable_driver_by_original_name_loaded_$name<BR />bioc.sync.vulnerable_driver_by_signer_name_loaded_$name<BR />bioc.sync.malicious_driver_by_signer_name_loaded_$name<BR />bioc.sync.malicious_driver_by_original_name_loaded__$name</P> <P>&nbsp;</P> <P>环境:</P> <DIV class="slds-form-element__control slds-grid itemBody" data-aura-rendered-by="100168:0"> <DIV class="slds-rich-text-editor__output uiOutputRichText forceOutputRichText forceKnowledgeOutputRichTextForKnowledge" dir="ltr" data-aura-rendered-by="100160:0" data-aura-class="uiOutputRichText forceOutputRichText forceKnowledgeOutputRichTextForKnowledge"> <UL data-aura-rendered-by="100161:0"> <LI>Cortex XDR for Windows</LI> <LI>Behavioral Threat Protection (BTP)</LI> </UL> <P>答案:</P> <P>这不是一个假阳性检测。<BR />这是一个易受攻击的驱动程序,正在被客户机器上的一个应用程序使用。所以我们阻止了它。<BR />这个驱动程序可以被攻击者滥用,以获得权限的提升。<BR />注意:如果一个规则名称有这些内容,它不是一个假阳性。它们也是由有漏洞的驱动文件引起的。</P> <P>&nbsp;</P> <PRE class="ckeditor_codeblock" data-aura-rendered-by="100190:0"><SPAN>bioc.vulnerable_driver_dropped_$name bioc.sync.vulnerable_driver_loaded_$name bioc.sync.vulnerable_driver_by_original_name_loaded_$name bioc.sync.vulnerable_driver_by_signer_name_loaded_$name bioc.sync.malicious_driver_by_signer_name_loaded_$name bioc.sync.malicious_driver_by_original_name_loaded__$name</SPAN></PRE> </DIV> </DIV> </DIV> Thu, 19 Jan 2023 11:53:03 GMT juzhang 2023-01-19T11:53:03Z 规则名称为 "bioc.vulnerable_driver_dropped_$name "的BTP警报是否为假阳性检测? https://live.paloaltonetworks.com/t5/%E9%85%8D%E7%BD%AE%E5%92%8C%E5%AE%9E%E6%96%BD/%E8%A7%84%E5%88%99%E5%90%8D%E7%A7%B0%E4%B8%BA-quot-bioc-vulnerable-driver-dropped-name-quot/ta-p/527697 <DIV class="lia-message-template-content-zone"> <P>总结:</P> <P>这篇文章描述了BTP警报的情况,它的规则名称如下。<BR />bioc.vulnerable_driver_dropped_$name<BR />bioc.sync.vulnerable_driver_loaded_$name<BR />bioc.sync.vulnerable_driver_by_original_name_loaded_$name<BR />bioc.sync.vulnerable_driver_by_signer_name_loaded_$name<BR />bioc.sync.malicious_driver_by_signer_name_loaded_$name<BR />bioc.sync.malicious_driver_by_original_name_loaded__$name</P> <P>&nbsp;</P> <P>环境:</P> <DIV class="slds-form-element__control slds-grid itemBody" data-aura-rendered-by="100168:0"> <DIV class="slds-rich-text-editor__output uiOutputRichText forceOutputRichText forceKnowledgeOutputRichTextForKnowledge" dir="ltr" data-aura-rendered-by="100160:0" data-aura-class="uiOutputRichText forceOutputRichText forceKnowledgeOutputRichTextForKnowledge"> <UL data-aura-rendered-by="100161:0"> <LI>Cortex XDR for Windows</LI> <LI>Behavioral Threat Protection (BTP)</LI> </UL> <P>答案:</P> <P>这不是一个假阳性检测。<BR />这是一个易受攻击的驱动程序,正在被客户机器上的一个应用程序使用。所以我们阻止了它。<BR />这个驱动程序可以被攻击者滥用,以获得权限的提升。<BR />注意:如果一个规则名称有这些内容,它不是一个假阳性。它们也是由有漏洞的驱动文件引起的。</P> <P>&nbsp;</P> <PRE class="ckeditor_codeblock" data-aura-rendered-by="100190:0"><SPAN>bioc.vulnerable_driver_dropped_$name bioc.sync.vulnerable_driver_loaded_$name bioc.sync.vulnerable_driver_by_original_name_loaded_$name bioc.sync.vulnerable_driver_by_signer_name_loaded_$name bioc.sync.malicious_driver_by_signer_name_loaded_$name bioc.sync.malicious_driver_by_original_name_loaded__$name</SPAN></PRE> </DIV> </DIV> </DIV> Thu, 19 Jan 2023 11:53:03 GMT https://live.paloaltonetworks.com/t5/%E9%85%8D%E7%BD%AE%E5%92%8C%E5%AE%9E%E6%96%BD/%E8%A7%84%E5%88%99%E5%90%8D%E7%A7%B0%E4%B8%BA-quot-bioc-vulnerable-driver-dropped-name-quot/ta-p/527697 juzhang 2023-01-19T11:53:03Z