Video Screencast Help

DLP should track false positives

Created: 13 Jun 2011 | 2 comments
xlloyd's picture
6 Agree
0 Disagree
+6 6 Votes
Login to vote

DLP Endpoint Server should keep a list of files (possibly file hashes like SEP12) that have been marked as false positives and automatically mark them as false positives again if discovered multiple times with Endpoint Discover. This way, the same file won't fire of an alert when it's already been recognised as a false positive the next time a scan is done.

It would make sense to make the server mark them after they've been reported rather than the agent simply skip them because otherwise, the agent would have to keep a list locally of each file that has been scanned and marked as a false positive which could make the agent inflated.

Comments 2 CommentsJump to latest comment

simiantech's picture

Has this been formalized as a feature modification request?

0
Login to vote
r.woodard's picture

I know this is an old post, but this should be implemented in the next update. We can mark incidents as False Positives, but that doesn't do any good if the system cannot recognize it and prevent the same type of incident from triggering another alert.

0
Login to vote