Submit IP address false-positive may be logged when an analytics rule triggers an event that isn’t a threat and not a valid user-agent. Oftentimes this occurs when a legitimate software product interacts with emails in an unexpected way. Examples include email security software, antivirus, or a browser plugin that registers clicks on links in emails. If you know that such software is interacting with your users, you can use DNS lookup to identify the specific entity registering the false-positive. You can then take steps to correct the issue and protect your users.
Other times, a true false-positive may be logged because an analytics rule detects that a user is using software on a machine outside of your control, such as a cloud service provider or public Wi-Fi. This could result in an IPS event indicating that malware is present on the system, even though the actual malware has not yet been scanned and blocked by SEP AntiVirus. In such cases, you must consider carefully all IPS events and perform a Threat Analysis Scan to verify that the infection is not present on your systems.
Navigating False Positives: Strategies for Submitting Erroneous IP Addresses
In both cases, the best course of action is to submit a message to Symantec to request that the IPS signature be cleared. Be sure to follow the procedure for submitting messages properly, as per the article Submitting Incorrectly Flagged Messages.