False positive alerts

Showing results for 
Show  only  | Search instead for 
Did you mean: 

False positive alerts

L4 Transporter

A very high quantity of botnet false alerts being reported on our appliance. Using 9.1.3.


Botnet report alerts as noted below:


Repeatedly visited (10) the same URL

Repeatedly visited (30) the same URL

Repeatedly visited (69) the same URL


Visited malware URL tdsjsext1.life/ExtService.svc/getextparams . resolves to app-id “google-base”/443

If you check the above IP addresses, you will see a common factor, it looks like this is normal behaviour for Googles ad platform?


How to fix this issue?


Cyber Elite
Cyber Elite


The botnet reports anything that is connecting directly to an IP address instead of an FQDN; while this is common in Ad networks, the firewall doesn't maintain a list of IPs that is "common" to be connecting directly due to these bad practices. The only thing that is really saying is that someone connected directly to an IP address, and doing so can be an indication of an issue.

Hi @BPry 


The entire list looks like web browsing (unified logs showing as such?) and as a result the botnet alerts are incorrect. Surely this is not normal behaviour?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!