Forum Discussion

Abed_AL-R's avatar
Icon for Cirrostratus rankCirrostratus
Sep 26, 2021

WireX DDoS Android Malware Question



I'm re-posting here this question I found in this site because I'm facing the same behavior in our F5-ASM:


Hello everyone

I help to manage a WAF in my organization and we get approximately 2000 log entries per month, mainly on our main corporate website’s WAF policy, that trigger a signature that concerns the WireX DDoS Android Malware. Here is an example request (headers only):





Connection: keep-alive

Pragma: no-cache

Cache-Control: no-cache

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Linux; Android 9; SM-A102U Build/PPR1.180610.011; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/80.0.3987.119 Mobile Safari/537.36

Sec-Fetch-Dest: document

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

accept-language: en


content-language: en

Sec-Fetch-Site: none

Sec-Fetch-Mode: navigate

Sec-Fetch-User: ?1


Accept-Encoding: gzip, deflate

I believe the empty x-requested-with: header is what is triggering this signature.

My question for you is – is this still a concern? Should we still continue to block these requests or based on what you see above, could this be a false positive?

Thank you.

No RepliesBe the first to reply