default action = alert?

schaleg2 — Mon, 09 Jul 2012 19:12:21 GMT

In browsing through the default actions for vulnerabilities, spyware and AV I see that the a lot of the actions for HIGH and CRITICAL severity events is just Alert. I expected a lot more blocking, dropping, and resetting. (half of High and >10% of Critical Vulnerabilities and the vast majority of High and Critical anti-spyware are Alert only)

Why just Alert? False positives, overly cautious, angry mobs?

Thanks

Re: default action = alert?

mikand — Tue, 10 Jul 2012 06:21:07 GMT

I cant answer your specific question but when using the recommended setup of:

Critical: block

High: block

Medium: block

Low: default

Informational: default

the threats classified as critical, high or medium will then be blocked no matter what their default action is.

My guess is that the risk of false positives is a major factor of why not more critical and high threats have block as their default action. This becomes more obvious when you look at the low and informational threats. One of them is a signature for url's in pdf's. I mean - pretty common these days but also common for pdf's containing exploits. So if you would block such pdf's you would most likely get shitloads of false positives which then would hide the true threats (pdf's who are actually infected). But on the other hand if you know that for example one of your fileservers (which you wish to protect with a PA) never would contain such pdfs you could use this threatid without any false positives.

topic default action = alert? in General Topics

default action = alert?

Re: default action = alert?