Skip to main content

Does anyone have a benign, false positive site that can be used for testing of the  IDS of Netskope?

Failing that, a true positive that I can turned the IDS on for in the Dev tenant?

I primarily want to see what it looks like in the logs so when I put it in monitor mode in production I know what I am looking for.

@wilson downloading the eicar test file should trigger IPS if I recall correctly.  This assumes you have all signatures enabled as IPS has eicar detection for both web and non-web protocols:

 

 


Thanks ​@sshiflett, I appreciate the effort.

It appears that the policy of preventing malicious downloads occurs before the IDS protection.  I guess I could disable the Threat Protection policies temporarily in the Dev tenant and see what happens after that, but that might be more effort and more risky then the proposed results.  I will think about it some more.

I think my desire now can be rated as a “nice to have” and I will just have to proceed to production claiming that the monitor only mode is safe enough in that it doesn’t perform any action. 


@wilson let me see if there’s any other methods to trigger it.  I don’t recall off the top of my head but will double check.  

You could also bypass the eicar hash while still retaining all other threat protection policies. 


@wilson let me see if there’s any other methods to trigger it.  I don’t recall off the top of my head but will double check.  

You could also bypass the eicar hash while still retaining all other threat protection policies. 

@sshiflett   Simple and brilliant idea.   That provided the evidence that I was looking for.


Reply