In our environments we start getting more and more fals positivs from wildfire where documents (mainly docx and xlsx) are flaged as malicious without any reason, or at least a reason without details in the WF report. I wonder if you see the same over the past about 7 days?
In the last few days we've been getting a ton of FP's. None of these files are related in any way, but one commonality we did find was Wildfire was keying on these 2 things:
1) Http request without User-Agent
2) HTTP GET requests to x.x.x.x/wpad.dat (x.x.x.x being the same IP every time).
Also, our WF500 appliance is reporting all of these FP's. If we upload the same file to the WF cloud, the files come back as benign. I have a ticket open with support and they have escalated it to engineering.
In my case the FPs are mostly office documents - no matter what extention (.doc, .docx, .xls, .xlsx). With all of them WF shows "started a process from a user folder" but in the report details there is absolutely nothing about that behavior.
I have also a case open which is also already escalet to engineering.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!