Please evaluate if the signature (6322) Microsoft Windows Information Disclosure Signature is OK as it seems I am receiving lots of false positives alert.
I as well have received 1000+ alerts from this one. The majority of the "attacker" IP addresses point back to google as well. If you look at what is actually triggering the alert (in my case at least) it shows every user trying to download "GoogleUpdateSetup.exe". One of the common URL's I am seeing is below:
Got a response on my TAC case. Confirmed that they are receiving a lot of tickets on this one and it is "definitely" a false positive and can be disabled safely. Developers are looking into a fix \ new signature release at this point.
I wish the Cisco IPS group would responded more quickly to these type of issues. There can't be many of us still using their IPS, so their team is probably pretty lean.
In my case, the signature is 6332/0, same description, 3k+ alerts, majority of sources are from Google.
Is this a false positive?
Please respond.
Getting Started
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:
