07-09-2012 12:12 PM
In browsing through the default actions for vulnerabilities, spyware and AV I see that the a lot of the actions for HIGH and CRITICAL severity events is just Alert. I expected a lot more blocking, dropping, and resetting. (half of High and >10% of Critical Vulnerabilities and the vast majority of High and Critical anti-spyware are Alert only)
Why just Alert? False positives, overly cautious, angry mobs?
Thanks
07-09-2012 11:21 PM
I cant answer your specific question but when using the recommended setup of:
Critical: block
High: block
Medium: block
Low: default
Informational: default
the threats classified as critical, high or medium will then be blocked no matter what their default action is.
My guess is that the risk of false positives is a major factor of why not more critical and high threats have block as their default action. This becomes more obvious when you look at the low and informational threats. One of them is a signature for url's in pdf's. I mean - pretty common these days but also common for pdf's containing exploits. So if you would block such pdf's you would most likely get shitloads of false positives which then would hide the true threats (pdf's who are actually infected). But on the other hand if you know that for example one of your fileservers (which you wish to protect with a PA) never would contain such pdfs you could use this threatid without any false positives.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
