Automating the World

 
Labtechuser1
Topic Author
Posts: 8
Joined: Wed Nov 09, 2016 9:30 am

AV-Disabled monitor fires false positives

Fri Jan 06, 2017 12:33 pm

AV-Disabled internal monitor creating false positives tickets most of the time. Anybody faced this before? Any inputs?
 
rami
Geek
Posts: 273
Joined: Wed Jun 10, 2015 12:00 pm
Current LT Agent Count: 200+

Re: AV-Disabled monitor fires false positives

Mon Feb 06, 2017 3:38 pm

What is the Additional Condition in your internal monitor?
What AV you're using?
 
imurphy
Geek
Posts: 108
Joined: Mon May 20, 2013 8:39 am
Current LT Agent Count: 200+
Contact:

Re: AV-Disabled monitor fires false positives

Tue Feb 07, 2017 3:02 am

I don't get false positives on the disabled internal monitor, but do get false positives for signatures not being up to date. I haven't managed to pin it down but I think it occurs when devices like laptops are offline but running. when they reconnect the agent connects to LT and the monitor fires. Moments later the AV updates.

Is it possible something in your AV disables the AV for a minute while it updates? You could increase the monitor count to, say, 3 and see if that cures the issue. If the AV is really disabled, it will be disabled for several minutes - enough time for the monitor to fire a few times.