Wildfire False positivs ... more than usual

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Wildfire False positivs ... more than usual

L7 Applicator

Hi community

 

In our environments we start getting more and more fals positivs from wildfire where documents (mainly docx and xlsx) are flaged as malicious without any reason, or at least a reason without details in the WF report. I wonder if you see the same over the past about 7 days?

3 REPLIES 3

L4 Transporter

In the last few days we've been getting a ton of FP's.  None of these files are related in any way, but one commonality we did find was Wildfire was keying on these 2 things:

1)  Http request without User-Agent

2) HTTP GET requests to x.x.x.x/wpad.dat (x.x.x.x being the same IP every time).

Also, our WF500 appliance is reporting all of these FP's.  If we upload the same file to the WF cloud, the files come back as benign.  I have a ticket open with support and they have escalated it to engineering.

In my case the FPs are mostly office documents - no matter what extention (.doc, .docx, .xls, .xlsx). With all of them WF shows "started a process from a user folder" but in the report details there is absolutely nothing about that behavior.

I have also a case open which is also already escalet to engineering.

@jambulo did I understand correctly your FPs are only on your wf500 appliance?

  • 3248 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!