Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".


Decoy files false-positives?

We are using CC behind a TZ370 with Firewall enforcement and network alerts setup.

On several network clients we get Firewall alerts on IPS/BAD-FILES:

After further investigation on the Firewall I managed to pull the responder IP addresses:,,

The IP addresses belong to ""

We have the decoy files function enabled in CC, could this be CC trying to download decoy files?

Category: Capture Security Center


  • Options
    Eddy77Eddy77 Newbie ✭

    I created a support ticket for this issue, they recommended me to disable the Decoy files in the CC policy to check it the Decoy files are triggering IPS. After disabling the Decoy files option I still got the IPS-alerts and ended up to add as IPS exclusion. After that the alerts where gone.

    So it must be some other file/exe that is triggering IPS, probably sentinelone agent updates :-)

Sign In or Register to comment.