I help to manage a WAF in my organisation and we get approximately 2000 log entries per month, mainly on our main corporate website’s WAF policy, that trigger a signature that concerns the WireX DDoS Android Malware. Here is an example request (headers only):
User-Agent: Mozilla/5.0 (Linux; Android 9; SM-A102U Build/PPR1.180610.011; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/80.0.3987.119 Mobile Safari/537.36
Accept-Encoding: gzip, deflate
I believe the empty x-requested-with: header is what is triggering this signature.
My question for you is – is this still a concern? Should we still continue to block these requests or based on what you see above, could this be a false positive?