This is an intended function of the alert. It's attempting to let you know that a malicious file existed at one point in time on your network, but does not exist currently.
If you do want the event to show, even for non-prevalent files, you can disable the existing Malicious File Alert. And create two new Alerts with the following settings:
- Alert 1:
- Alert Name: Malicious File Detected Non-Prevalent
- Type: Event Alert
- Mail Template: Template for Event
- Event Property: Subtype is Malicious File Detected
- File Property: Prevalence equal to 0
- Alert 2:
- Alert Name: Malicious File Detected Prevalent
- Type: Event Alert
- Mail Template: Template for Event
- Event Property: Subtype is Malicious File Detected
- File Property: Prevalence larger than 0