I've also open a support case yesterday. Sadly the suggestion thus far is to create an exception. I'm holding out for now because as you've all stated this seems like an adjustment they need to make on their end. We are avg right around 55-60K of these alerts popping off every hour, it's making our SIEM think the world is ending. Considering I'm seeing traffic to domains like msn.com, google.com, amazon.com, twitter.com, webex.com, yahoo.com, bing.com. I would say the fix should likely be on a much tighter signature than what they release on 10/30. The description for ID 85454 which is what is kicking them off is "This signature detects encrypted command and control traffic from Tofsee malware." I highly doubt all those domains are partaking in a C2 scenario. I too will post what support comes up with, they did say I wasn't alone and others also have complained.
... View more