Deep Analysis false positive potential

%3CLINGO-SUB%20id%3D%22lingo-sub-2007130%22%20slang%3D%22en-US%22%3EDeep%20Analysis%20false%20positive%20potential%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2007130%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20reviewing%20the%20results%20of%20a%20Deep%20Analysis%20for%20a%20suspicious%20file%2C%20is%20it%20possible%20that%20any%20%22parallel%22%20processes%20(processes%20not%20initiated%20or%20accessed%20by%20the%20suspicious%20file)%20could%20be%20included%20in%20the%20results%20as%20false-positives%3F%26nbsp%3B%20We%20have%20an%20executable%20file%20that%20was%20alerted%20on%20and%20then%20marked%20as%20No%20Threat%20by%20the%20Automated%20Investigation.%26nbsp%3B%20When%20we%20perform%20and%20review%20a%20Deep%20Analysis%2C%20we%20see%20communication%20via%20a%20skype%20process%20(which%20should%20in%20no%20way%20be%20part%20of%20this%20file's%20legitimate%20activity).%20Submitted%20the%20file%20to%203rd%20party%20sandbox%20analysis%20and%20the%20file%20reports%20as%20mostly%20benign.%26nbsp%3B%20We're%20awaiting%20response%20from%20an%20Experts%20on%20Demand%20application%2C%20but%20in%20the%20meantime%20would%20like%20to%20seek%20a%20better%20understanding%20of%20the%20deep%20analysis%20%2F%20false%20positive%20potential.%26nbsp%3B%20(Just%20for%20added%20drama%3B%20the%20file%20is%20a%20non-Orion%20Solarwinds%20RMM%20file%2C%20so%20our%20curiosity%20is%20peaked)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2007130%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EDeep%20Analysis%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Contributor

When reviewing the results of a Deep Analysis for a suspicious file, is it possible that any "parallel" processes (processes not initiated or accessed by the suspicious file) could be included in the results as false-positives?  We have an executable file that was alerted on and then marked as No Threat by the Automated Investigation.  When we perform and review a Deep Analysis, we see communication via a skype process (which should in no way be part of this file's legitimate activity). Submitted the file to 3rd party sandbox analysis and the file reports as mostly benign.  We're awaiting response from an Experts on Demand application, but in the meantime would like to seek a better understanding of the deep analysis / false positive potential.  (Just for added drama; the file is a non-Orion Solarwinds RMM file, so our curiosity is peaked)

0 Replies