You want to know how to configure ATSE when it is not used in combination with Deep Discovery Analyzer (DDAN) to avoid false positive detections.
ATSE uses heuristic methods for determining suspicious files and therefore it is possible to have false positive detections. ATSE is most effective when combined with DDAN. In this case, IWSVA can send files that are flagged as suspicious to DDAN to get confirmation whether they are malicious or not. Without DDAN integration, the benefit of using ATSE is reduced.
When using ATSE without DDAN, we recommend to set ATSE to "Monitor" rather than "Block" suspicious files. This way, a notification will be sent when ATSE flags a file as suspicious and this allows the files to be investigated further. ATSE detections can be recognized from the virus name as they always start with "EXPL_" or "HEUR_".
To set ATSE to "Monitor":
- On the IWSVA web console, go to HTTP > Advanced Threat Protection > Policies > Virus Scan Global Policy > Virus/Malware Scan Rule.
-
Under the Advanced Threat Scan section, select Monitor on the Exploits Scan Action dropdown menu.
Click image to enlarge.
IWSVA also offers the option to tweak the level of aggressiveness of ATSE to reduce the number of false positive detections. To do this, it is neccesary to edit the configuration file /var/iwss/intscan.ini as described in the KB article: Editing configuration files of Linux-based products.
To tweak the level of aggressiveness of ATSE, you need to change the value of the parameter "atse_aggressive_level".
The following table contains the description of the levels you can set:
| Value | Description |
|---|---|
| -1 | IWSVA will not set ATSE aggressive level. |
| 0 | disable all ATSE rules |
| 1 | very high confidence (very conservative) - only CVE detections |
| 2 | high confidence (conservative) - with some HEUR rules |
| 3 | low confidence (aggressive) - with most HEUR rules |
| 4 | even include poc rules (very aggressive) - with all rules |
