topic Wildfire False positivs ... more than usual in General Topics

Wildfire False positivs ... more than usual

Remo — Thu, 13 Feb 2020 12:49:20 GMT

Hi community

In our environments we start getting more and more fals positivs from wildfire where documents (mainly docx and xlsx) are flaged as malicious without any reason, or at least a reason without details in the WF report. I wonder if you see the same over the past about 7 days?

Re: Wildfire False positivs ... more than usual

jambulo — Fri, 14 Feb 2020 19:31:28 GMT

In the last few days we've been getting a ton of FP's. None of these files are related in any way, but one commonality we did find was Wildfire was keying on these 2 things:

1) Http request without User-Agent

2) HTTP GET requests to x.x.x.x/wpad.dat (x.x.x.x being the same IP every time).

Also, our WF500 appliance is reporting all of these FP's. If we upload the same file to the WF cloud, the files come back as benign. I have a ticket open with support and they have escalated it to engineering.

Re: Wildfire False positivs ... more than usual

Remo — Sun, 16 Feb 2020 09:19:11 GMT

In my case the FPs are mostly office documents - no matter what extention (.doc, .docx, .xls, .xlsx). With all of them WF shows "started a process from a user folder" but in the report details there is absolutely nothing about that behavior.

I have also a case open which is also already escalet to engineering.

Re: Wildfire False positivs ... more than usual

Remo — Sun, 16 Feb 2020 10:35:09 GMT

@jambulo did I understand correctly your FPs are only on your wf500 appliance?