I did not get your point on your sentence " Found 11,059 out of 76,738 results" Please explain what do you mean ? what did you find out of 76k? malware ? endpoints ? Please check my last answer a few mins ago to Pdysart in case it helps you. About the alerts with benign verdicts: if somehow the endpoint is not connected to cortex management console/WF, or the verdicts from WF last too much, local analysis kicks in and this might have the reason of those alerts, later the verdict might be resolved once the alert is already created (or maybe buffered to be sent when comms are recovered). Please investigate and realize if you have an issue with WF verdicts in terms of time to get it. If you have a real isssue there open a TAC support ticket. If your endpoints are isolated when the alerts are generated by local analysis, then you should solve this matter. Note: if the file is unknown to WF, then the agent uses local analysis to figure out if the file is benign of malware. Ways to get rid of alerts for benign processes: -Add hash to allow list -Add the signer to trusted signers About the on-write scan you will have to wait until you update the agent to 7.6 Hope I helped on your issues
... View more