Gateway Anti-Virus Alert: Multi-compressed ZIP/GZIP file blocked
TZ470W. I've configured the firewall to block Multi-compressed ZIP/GZIP files. As a result, I'm occasionally flooded with alert e-mails about machines trying to download such a file. It's not user-initiated. The alert e-mail only lists the source and destination IP - not the file name. The same for the System Logs. The source IP-addresses differ, like 18.104.22.168, .248.99.254, 22.214.171.124, 126.96.36.199. They all resolve to a non-existent domain.
I temporarily disabled the blocking of multi-compressed ZIP-files in order for Capture ATP to process those files, but that doesn't list multi-compressed ZIP-files.
It could very well be these downloads are legitimate, like Windows Updates or something like that. But how do I figure out what's being downloaded and where it comes from?