Handling false positives

The easiest way to reduce the number of false positives for the reputation database is to simply set the Exclude Single References value to Yes, that means that an IP address is not identified as having a bad reputation unless it appears on at least two lists. This reduces the number of entries in the @@ip_blocklist@@ immediately.

Note

After making this type of change to the Edit screen, click Run Report to fetch the new reputation database.

Another way of handling false positives is to add any IP addresses used by your organization (that might appear in the BMC Defender list, but are necessary or known to your organization) to the @@block_exceptions@@ macro on the Correlation > Config > Lists screen. This macro typically contains a list of IP addresses that are not blocked under any circumstances. (The user simply updates the list of IP addresses like any other list macro.) The correlation rules in the Correlation > Threads screen references a rule @ip_blocklist@@ and not @@block_exceptions@@, that indicates that a match has to occur in the @@ip_blocklist@@ macro, and not occur in the @@block_exceptions@@ list.

Note

If you update the @@ip_blocklist@@ list with an item, then that item is eliminated the next time when feed is executed (typically on a weekly basis). Therefore, you should not modify @@ip_blocklist@@. This is not a problem with the @@block_exceptions@@ list, that is entirely defined by your organization and is never modified by BMC Defender feeds or upgrade procedures.

Finally, if you have chronic problems with certain ranges of devices, you should contact BMC Support to review your situation. The BMC Defender reputation database is easily modified to exclude certain IP addresses that might be necessary for your site.

Related topic

BMC-Defender-Server-block-list-and-reputation-database

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*