Customers using Zscaler cloud enforcement may experience spurious detections associated with the Zscaler cloud proxies. The options for deploying Zscaler are described at https://support.zscaler.com/hc/en-us/articles/205118615-Choosing-Traffic-Forwarding-Methods. If Zscaler is deployed in a mode where traffic is forwarded from the customer's network to Zscaler via a GRE or VPN tunnel from a DMZ firewall, no spurious detections will occur as Zscaler is effectively a transparent proxy. But if Zscaler is used as a proxy by loading PAC files into individual hosts, the spurious detections will appear.
In this configuration the Vectra appliance detects the Zscaler proxies as public (external) IP addresses and treats the traffic as external traffic headed to the proxy rather than as external traffic which will be forwarded by the proxy to its ultimate destination. This misunderstanding of the final destination of the traffic causes several algorithms to trigger spurious detections, including External Remote Access, Pulling Instructions, and Data Smuggler.
To prevent this issue, the set of public IP addresses that Zscaler uses for their proxies should be added to the list of public IP addresses listed as internal to the customer's network in the Vectra UI. The addresses for all the proxies can be found at https://ips.zscaler.net/cenr.
Please contact Vectra Support if you have a high volume of detections and would like help identifying and triaging them.