12-14-2016 11:41 AM
Recently our company switched to Traps Endpoint protection. Still in learning mode, and triggered a exploit protection, from what appears to be a word doc. There is no upload to Wildfire, (thought I did manually retrieve the file and upload it). How do you all normally verify that it was a exploit and not a false positive?
12-14-2016 12:28 PM
Oh yes... you did say that. My mistake... so you're on the right track.
12-15-2016 07:36 AM
Adding to what Michael already mentioned, the UI provides some visibilty to the event information, but not a complete one. Upon prevention, the agent also create a memory dump of the exploited process and that dump can be retrived from the ESM (using the "retrive data" button in the security event details) and can be analyzed to better understand the exploitation attempt. Our Support team can also assist with analyzing the event and providing next steps.
12-15-2016 08:43 AM
Thanks, thats more or less what I was after. It looks like the retrieve data creates a rule, and then I would retreive the data from the "Monitor", "Data Retrieval"?
12-15-2016 11:15 PM
Exactly. The data retrival create an action for the agent to send the data on the next time it connects to the ESM. Once the data is recieved by the ESM it will appear in the "Data Retrieval" screen.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!