Many Adaptive Protection / Behavioral Analysis detections are being received.
search cancel

Many Adaptive Protection / Behavioral Analysis detections are being received.

book

Article ID: 252356

calendar_today

Updated On:

Products

Endpoint Security Complete

Issue/Introduction

"Suspicious Threat Detected" emails are inundating email inboxes with notification emails, typically related to behavioral analysis for valid Windows scripts. The activities being flagged look normal.

Environment

Release : 14.3 RU5

Cause

This is working as designed.

Resolution

These alerts are generated from the Adaptive Protection policy. These will show up as ACM detections, such as ACM.Rd32-InjSvc!g1, ACM.Curl-Lnch!g1, ACM.Ps-InjSvc!g1, or many others. This policy monitors a series of known "Lay of the land" methods of attack. The policies themselves are not detecting malicious code execution, only the known methods. Many OS processes and applications will use these same methods as part of normal operation. The purpose of Adaptive Protection is to be aware of unusual executions and be able to take action on them. If a known method is being exploited in the environment, you can change that method to block until the threat can be neutralized.

To limit the number of received emails, change the alert settings to send only 1 daily email. This is done by selecting the Incidents and Alerts tab to the left of the console, selecting the Alert Rules tab, selecting "Suspicious Threat Detected" from the list of Alerts, and changing the frequency of alerts, as shown: