Decoy files false-positives?
Eddy77 Newbie ✭
We are using CC behind a TZ370 with Firewall enforcement and network alerts setup.
On several network clients we get Firewall alerts on IPS/BAD-FILES:
After further investigation on the Firewall I managed to pull the responder IP addresses: 184.108.40.206, 220.127.116.11, 18.104.22.168
The IP addresses belong to "sonicwall.sentinelone.net"
We have the decoy files function enabled in CC, could this be CC trying to download decoy files?
Category: Capture Security Center
Hey! You will be signed out in 60 seconds due to inactivity. Click here to continue using the site.
I created a support ticket for this issue, they recommended me to disable the Decoy files in the CC policy to check it the Decoy files are triggering IPS. After disabling the Decoy files option I still got the IPS-alerts and ended up to add sonicwall.sentinelone.net as IPS exclusion. After that the alerts where gone.
So it must be some other file/exe that is triggering IPS, probably sentinelone agent updates :-)