When ISS creates a new signature, this signature goes through extensive false positive testing. However, it is difficult for ISS to reproduce all possible network configurations. Occasionally, new false positives are discovered after the release of a signature. Oftentimes they are found by you, our customers!
We are dedicated to reducing false positives in our products. If you are experiencing false positives for a particular signature in your environment, you can report the false positive so that we can make our products better for you.
To submit a false positive report, send an email to falsepositives@iss.net with, at a minimum, the following information:
a screenshot of the false positive event (or events)
a brief summary of why you think this false positive happens
if the false positive is being triggered by a specific software product or network configuration in your environment, a description of the software (with version information) or network configuration
Frequently, the following information is absolutely necessary for ISS to fix the false positive problem. If you can provide the following information in your report, it would be extremely helpful to ISS:
a capture file, a file that contains a frame by frame record of network traffic over a specific period of time. The ISS X-Force has developed a very detailed and informative paper on using the Microsoft Network Monitor to capture network traffic. You can view this paper at:
http://www.iss.net/support/product_utilities/realsecure_tech_center/tips_tricks/index.php.
explicit instructions on how to reproduce the false positive
the name, phone, and email of someone we can contact if we need assistance to reproduce the false positive
Protecting your proprietary information: If the information you need to send contains company proprietary information, contact falsepositives@iss.net for a public encryption key and a non-disclosure agreement, if required.