Luke,
They aren't false positives. We have a complex, proprietary system that evaluates URLs based on a number of factors including the presence of actual malware, correlation with other threat behavior such as spam content and origination, historical information about the URL/domain, etc.
The bottom line is that we process billions of URLs, emails, and files daily and by correlating all of this information we can determine the reputation of a given URL and assign a numerical value to that URL that represents the riskiness of said URL.
Unfortunately because the bad guys would love this information too, we can't tell you exactly why those URLs ended up on the list, but I can tell you if they ended up on the list, it wasn't by accident. Without fully understanding your computing environment and business, I can't give you specific ways to prevent this from happening again, but the high level recommendations would be:
1. Make sure any emails originating from your IP addresses aren't spam (set up a global outbound email filter or subscribe to a hosted service offering)
2. Make sure your IPs/domains/URLs aren't hosting malware. You could use some type of software on the servers to scan files, or use a web filtering gateway type solution.
Ryan Delany
Trend Micro Inc.
twitter: @ryandelany
I am a Trend Micro employee. My comments and advice come from my personal knowledge and experience. I’m happy to volunteer what I can to help others have a great Trend Micro experience.
