A sandfly can be deactivated if you never want it to run. This is a valid option if it is causing a false alarm in your environment and whitelisting the alert is not helping.
NOTE: Deactivating vs. Whitelisting Deactivating a sandfly in the master list disables that check for all systems. If there is a false alarm in only on one or a few hosts, consider whitelisting the alert instead. Whitelisting will mean that the sandfly is not run on the selected host(s) and not globally.
We have worked very hard to ensure false alarms do not happen, but if you have an unusual environment or configuration it is possible a Sandfly may deem it suspicious and alert. If this happens, try deactivating it by first clicking its row in the Sandflies table in order to will open its Sandfly Detail page. Then simply click on the De-Activate button. While in a de-activated state, the Description area of the details page will be greyed out along with providing an Activate button to restore its availability.
As a reminder, deactivating the sandfly here shuts it off for all systems. If this is not desired, consider whitelisting the sandfly if it is only activating as a false alarm on a few systems.
Globally Deactivating a Sandfly Check