asking for experience with the local analysis module.
As a Traps business Partner we experience many FP's with the local analysis module since it became available abt 6 months ago.
Also the last two content updates did not include an updated local analysis algorithm.
We and our customers feel a bit of a pain with the current status of that module.
What's your experience ?
Is the FP local analysis verdict of the executable being resolved on the back-end once the WF sample analysis is completed?
False positives should be resolved in an automated fashion with the sample being uploaded to WF and Analysed. The turn-around time on this would depend on your ESM settings and network connectivity of course.
Are you finding you have to manually set as "Benign" in Hash Control?
My concern is not about WF analysis, my question is about too many false positives with the local analysis module.
I would like to know what your experience is with LA. I was attending the SE Summit in Vegas two weeks ago and it seems I am not the only one feeling some pain with LA...
Also the last two recent content updates did not contain an updated (trained) machine learning algorithm for the LA module.
Mainly custom applications will trigger a false positive with LA - which happens at times. I think the whitelisting we have to do is still in an acceptable range. This module is still far from perfect but fills the gap between allowing all WF Unknown files and blocking everything WF has not seen before. At this point we still have to rely on the WF verdict though.
I share your concern for the lack of updates in Content Updates.
Though Local Analysis is built to operate (in part) like the WildFire Cloud does, the resource constraints inherent in running this on a single Endpoint in conjunction with the static nature of the module mean that certain properties that appear malicious will tend to trigger a prevention event (erring on the side of caution rather than allowing something through).
One major goal of Local Analysis is to limit the time that a new process hash is considered "unknown" (making this component much more flexible than it was previously, where the only options - when dealing with a new hash, or lack of connectivity to the ESM or WildFire - were to block or allow processes until a WildFire verdict was received).
Some of this may be tuneable (depending on your current policy configuration), but I'd recommend reporting these events to Support to investigate (and ensure these events are incorporated into future updates to the Local Analysis model).
We are also experiencing quite a few FP's with Local analysis on weekly basis (almost every day). And our environment isn't even big, only around 80 endpoints. Therefore, we are considering turning it only to notification, since our client's aren't happy with Traps keep on blocking new installations, either when they are offline or the executable is unknown to WF.
However, I've noticed that from yesterday, there's new content update available which include new LA algorithm, hence we'll give it a chance one more time.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!