We have an MX68 in production and recently started receiving syslog messages with event ype "security_filtering_file_scanned" stating that a file download was blocked. The associated domains AND file hashes are not listed malicious from other online sources. Below is one of the parsed logs.
How does AMP cloud determine the download is malicious? Is it the URL or the file hash?
Side note, we don't see any record of these security events in "Security & SD-WAN > Security Center" or "Network Wide > Event Log". We only get the syslog messages saying these file downloads were blocked.