Check Point and WildFire (6.0 and later) can report multiple notifications for the same file, each from a different analysis environment.

The external notifications from multiple environments

The Analysis Environment field is especially useful in this case since it provides information about the test environment(s) in which the file was detonated or analyzed, allowing you to determine whether or not the file was found malicious in each environment. For notifications based on detonation of a file, the environment includes not only the base operating system, but also other key software. For example, one notification might show the following Analysis Environment: Windows 7, Adobe Reader 11, Flash 11, Office 2010.

For WildFire notifications that involved static analysis, the type of analyzer is reported in this field; for example: DOC/CDF Analyzer.

Note: If a file is uploaded from Carbon Black App Control to the WildFire cloud for analysis and WildFire reports multiple notifications for the file, the file might be considered benign in some environments and malicious in others. The External Notifications table and External Notification Details page show the individual analysis results for each Analysis Environment. However, for a file submitted to the WildFire cloud, the Analyzed Files tab of the Requested Files page shows only the combined overall results for the file as determined by WildFire.