Contextual Whitelisting
False positives are a common challenge in cybersecurity. Often, some detections are too generic and when broadly applied, could have a tendency to block more things than necessary. Users are sometimes forced to disable entire detections to avoid these issues - but with Contextal Platform, you can handle these cases with precision, see how!
In this example, let’s consider a false positive (FP) detection labeled Trojan.ABC from the ClamAV scanner, although this strategy could be applied to other FPs, even those originating from Contextal Platform’s scenarios. We’ll also assume Trojan.ABC is effective within an email context but has been mistakenly blocking legitimate files from other sources.
To solve this problem we will make use of the ALLOW action, which takes precedence over other actions, paired with the following ContextQL query:
@has_symbol("INFECTED-CLAM-Trojan.ABC") && @has_root(object_type != "Email")
This setup will whitelist instances where Trojan.ABC was detected, but the root object is not of an Email type, allowing legitimate files to pass through while maintaining security within email content.
Click on the download button below to get the scenario, adapt it to your needs (with the example detection name it won't have any effect!), and upload it using Contextal Console or the ctx command line tool (when using the latter, don't forget to reload remote scenarios after adding a new one!)
{
"name": "Limit Trojan.ABC to Email",
"min_ver": 1,
"max_ver": null,
"creator": "Contextal",
"description": "This scenario limits the ClamAV detection Trojan.ABC to e-mails, and ignores it when a root object is of a different type.",
"local_query": "@has_symbol(\"INFECTED-CLAM-Trojan.ABC\") && @has_root(object_type != \"Email\")",
"context": null,
"action": "ALLOW"
}