Menu

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sign In Register

Decoy files false-positives?

Eddy77Eddy77 Newbie ✭
in Capture Security Center

We are using CC behind a TZ370 with Firewall enforcement and network alerts setup.

On several network clients we get Firewall alerts on IPS/BAD-FILES:

afbeelding.png

After further investigation on the Firewall I managed to pull the responder IP addresses: 3.220.221.104, 35.173.44.173, 54.172.195.97

afbeelding.png

The IP addresses belong to "sonicwall.sentinelone.net"

afbeelding.png

We have the decoy files function enabled in CC, could this be CC trying to download decoy files?

Category: Capture Security Center
Reply
Tagged:

Comments

  • Eddy77Eddy77 Newbie ✭

    I created a support ticket for this issue, they recommended me to disable the Decoy files in the CC policy to check it the Decoy files are triggering IPS. After disabling the Decoy files option I still got the IPS-alerts and ended up to add sonicwall.sentinelone.net as IPS exclusion. After that the alerts where gone.

    So it must be some other file/exe that is triggering IPS, probably sentinelone agent updates :-)

Sign In or Register to comment.