How to distinguish between logged and blocked detections involving WS.Reputation.x from SES Cloud
search cancel

How to distinguish between logged and blocked detections involving WS.Reputation.x from SES Cloud

book

Article ID: 404923

calendar_today

Updated On:

Products

Endpoint Security Complete

Issue/Introduction

You see many detections involving WS.Reputation.x (WS.Reputation.1, and WS.Reputation.6), and are having difficulty deciding if the detections merit submission as a False Positive to  Broadcom Security Response SymSubmit portal.  

Resolution

1. In SES Cloud, add the column called "DISPOSITION" and "THREAT NAME" to the investigate page. 

2. Reload the page. 

3. When reviewing the results please understand the differences below: 

If the "DISPOSITION" is "4-File Detection - Logged" with the "threat name" being WS.Reputation.x (WS.Reputation.1, and WS.Reputation.6) then the file was only detected and logged but NOT blocked.
NOTE: Since these events were only detected and logged, there is no need to submit the file(s) as a False Positive submission.

However, if the "DISPOSITION" is "12-File Detection - Quarantined" with the "threat name" being WS.Reputation.x (WS.Reputation.1, and WS.Reputation.6), then the file was indeed detected and blocked.
NOTE: In this specific case, if you think this file is "clean" and "incorrectly" blocked, only then would you need to consider submitting the relevant file(s) to Broadcom Security Response via the SymSubmit portal as defined here