how often can ATP provide False positves?

Question

Hi all, 
 
 just a short question, is it possible that the ATP just hits a false positive? We have a report of generic Command and Control from the site: 
 exactlywhatistime com 
 
 a basic site about relativity theory and time, but the UTM did alert due to Botnet. 
 Any ideas if there may be false positives around, or seems valid? 
 
 Thanks in advance! 
 Gerg&ouml;

DouglasFoster · Accepted Answer

I do not recall ever having a false positive from ATP. Fortunately, I have had very few alarms. 
 A legitimate website can become infected. Nobody on this website can give you permission to ignore an ATP alarm. You have to look at the logs. You need to pull your web log to see everything that the website attempted to include by reference or attempted to download to your device. 
 If you believe the website is legitimate, you should contact the site owner. 
 In my most memorable incident, I had an ATP alarm from a church website. The web page attempted to load embedded content from a Ukranian domain registered to a Russian mailing address. Our staff person was merely trying to check the church's address to attend a funeral. 
 That was on a Friday. On Monday, another staff member tripped the same alarm due to the same infection on the website of a medical practice. 
 Thanks to ATP, nothing bad happened in either case, because the hostile content was blocked. I was able to contact both site owners. The church was grateful for the bad news. The medical practice confirmed that they were aware of the problem and were in the process of shutting down the site. 
 In another case, ATP threw an alarm when a site was referenced with IE, but not with Chrome. I contacted the site owner and they were quite insulted, assuring me that they had no infection. After some research, I discovered that the IE version of their site had a programming error. A block of javascript was loaded and executed prior to the initial HTML tag. I think the problem code was supposed to be configured as an embedded function, rather than as an execute block. The code was not actually malicious, but the attempted behavior appeared hostile. I explained the coding problem and they changed their software, hopefully while enjoying a piece of humble pie. 
 
 For your alarming webiste, force the website to reputation=malicious until the site owner confirms that they have found and fixed the source of the problem.

Alexander Busch · Answer

Hi Gerg&ouml;, 
 the short answer is yes, could be, but very rare. Sometimes these were triggered by non optimal configuration of DNS and so on. 
 If you like tell us some more details and a lot of people here are willing to help. 
 So maybe show us the log entry for that ATP hit. 
 best regards 
 Alex