Wildfire False positivs ... more than usual

Reply
Highlighted
Cyber Elite

Wildfire False positivs ... more than usual

Hi community

 

In our environments we start getting more and more fals positivs from wildfire where documents (mainly docx and xlsx) are flaged as malicious without any reason, or at least a reason without details in the WF report. I wonder if you see the same over the past about 7 days?

Highlighted
L4 Transporter

Re: Wildfire False positivs ... more than usual

In the last few days we've been getting a ton of FP's.  None of these files are related in any way, but one commonality we did find was Wildfire was keying on these 2 things:

1)  Http request without User-Agent

2) HTTP GET requests to x.x.x.x/wpad.dat (x.x.x.x being the same IP every time).

Also, our WF500 appliance is reporting all of these FP's.  If we upload the same file to the WF cloud, the files come back as benign.  I have a ticket open with support and they have escalated it to engineering.

Highlighted
Cyber Elite

Re: Wildfire False positivs ... more than usual

In my case the FPs are mostly office documents - no matter what extention (.doc, .docx, .xls, .xlsx). With all of them WF shows "started a process from a user folder" but in the report details there is absolutely nothing about that behavior.

I have also a case open which is also already escalet to engineering.

Highlighted
Cyber Elite

Re: Wildfire False positivs ... more than usual

@jambulo did I understand correctly your FPs are only on your wf500 appliance?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!