Support Center > Search Results > SecureKnowledge Details
How to submit a False Positive case for Threat emulation? Technical Level
Solution
In order to submit False Positive report for Threat Emulation, collect the following information and open a support ticket with Check Point Support:
1- Full information on the deployment used for emulation - local emulation / cloud / or dedicated TE appliance.

2- Output of next commands:

# tecli ad sc all 
# tecli s d all 
# tecli ad en ver 
# cpstat threat-emulation -f contract


NOTE: In case the deployment includes Security Gateway and TE appliance please collect this information from both.

3-Original file suspected as a false positive. [Archive the file with password = infected]

4-In SmartView Tracker / SmartLog copy the log to text file [not screenshot] and download the PDF report file.

5-Please provide the ThreatEmulation_dataXML file from Report file. [This file will have no extention]

      The XMLData is created once the TE report from the SmartView Tracker or SmartLog is opened in the browser, and can be found in the following directory: C:\Users\user_name\AppData\Local\Temp\IncidentAttachments\TEReports\{report_id}\data\ /ThreatEmulation_dataXML

        Please go to the SmartView Tracker/SmartLog, for Management server R77.X, or to SmartLog, for Management server R80.X, and open the log of the suspected file.


        Click to View Report [not download].


        An IE browser will open the report and you will find the report_ID in the URL.


Example:
      C:\Users\user_name\AppData\Local\Temp\IncidentAttachments\TEReports\{report_id}\data\ /ThreatEmulation_dataXML

5- CPinfo output files from all relevant machines [Security Gateway, Security Management server,TE appliance]. 


This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment