Experience with local analysis ?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Experience with local analysis ?

L4 Transporter

asking for experience with the local analysis module.

As a Traps business Partner we experience many FP's with the local analysis module since it became available abt 6 months ago.

Also the last two content updates did not include an updated local analysis algorithm.

 

We and our customers feel a bit of a pain with the current status of that module.

What's your experience ?

 

Thanks

Roland

7 REPLIES 7

L4 Transporter

Really no one ..?

Is the FP local analysis verdict of the executable being resolved on the back-end once the WF sample analysis is completed? 

 

False positives should be resolved in an automated fashion with the sample being uploaded to WF and Analysed. The turn-around time on this would depend on your ESM settings and network connectivity of course. 

 

Are you finding you have to manually set as "Benign" in Hash Control? 

My concern is not about WF analysis, my question is about too many false positives with the local analysis module.

I would like to know what your experience is with LA. I was attending the SE Summit in Vegas two weeks ago and it seems I am not the only one feeling some pain with LA...

 

Also the last two recent content updates did not contain an updated (trained) machine learning algorithm for the LA module.

L1 Bithead

Hello gafrol,

 

Mainly custom applications will trigger a false positive with LA - which happens at times. I think the whitelisting we have to do is still in an acceptable range. This module is still far from perfect but fills the gap between allowing all WF Unknown files and blocking everything WF has not seen before. At this point we still have to rely on the WF verdict though.

 

I share your concern for the lack of updates in Content Updates.

Hi Roland,

 

Though Local Analysis is built to operate (in part) like the WildFire Cloud does, the resource constraints inherent in running this on a single Endpoint in conjunction with the static nature of the module mean that certain properties that appear malicious will tend to trigger a prevention event (erring on the side of caution rather than allowing something through).

 

One major goal of Local Analysis is to limit the time that a new process hash is considered "unknown" (making this component much more flexible than it was previously, where the only options - when dealing with a new hash, or lack of connectivity to the ESM or WildFire - were to block or allow processes until a WildFire verdict was received).

 

Some of this may be tuneable (depending on your current policy configuration), but I'd recommend reporting these events to Support to investigate (and ensure these events are incorporated into future updates to the Local Analysis model).

 

--Chris

L1 Bithead

We are also experiencing quite a few FP's with Local analysis on weekly basis (almost every day). And our environment isn't even big, only around 80 endpoints. Therefore, we are considering turning it only to notification, since our client's aren't happy with Traps keep on blocking new installations, either when they are offline or the executable is unknown to WF. 

However, I've noticed that from yesterday, there's new content update available which include new LA algorithm, hence we'll give it a chance one more time.

 

Regards,

Uroš

Ohh woowww, the first content update to the LA Module after months ... finally

Lets check it out 🙂

  • 8633 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!