@Raj66 updated my ticket. I am sure the support guy Indy Cao is thrilled to see it still happening.
We're getting these as well on our FTD VPN FWs with AMP
<*- Network Based Malware From "VPN-FTD01" at Mon Aug 5 20:31:33 2019 UTC -*>
Sha256: 7b512b45b6903b562e7f52b04a7715c05f0bb0cfc42438d6f1f2cdbb32124ac6 Disposition: Malware Threat name: W32.7B512B45B6-100.SBX.TG IP Addresses: x.x.x.x<-18.104.22.168
However Talos shows it as clean...
Is there a report available detailing this issue and what has been put in place to prevent this from happening again? Looking for something to send out to our clients detailing this false positive.
@Josh214 It is rather unlikely there is a report yet. Despite the thread indication it is "solved", I still have 2 open cases with support.
In my case - this was partly due to a setting (my issue was with AMP on ASA firewalls but similar database) was that in the management console for the file policy you can tell it to override Talo's disposition based on the ThreatGrid score. TAC said because the way the update file works it is capable of being malicious so it gives it a very high threat score. In our case, we told our appliances to mark it as malware if the threat score was Very High. Not sure if this is relatable to you guys but wanted to mention it