Resolving False Positives in EDR Searches for "msinfo32.exe"
Article ID: 402125
Updated On:
Products
Carbon Black EDR
Issue/Introduction
False positive alerts in EDR feed reports when searching for processes with original_filename values like msinfo32.exe.
Environment
- EDR Server: All Supported Versions
- EDR Windows Sensor: All Supported Versions
Cause
- Solr tokenizes certain fields (including original_filename) using delimiters like backslashes (\), @ symbols, or numbers followed by dots (e.g., 32.).
- The search term msinfo32.exe was split into tokens msinfo and .exe, matching any .exe file.
Resolution
Make sure to put the full filename into quotes like original_filename:"msinfo32.exe"
Feedback
Yes
No
Powered by
