Typically we wouldn't want to see packed executables attempting to be retrieved from the WAN, but these occured at regular 15 minute intervals and the source IP was owned by Trend Micro. Digging in the WFBS console I found:
A whole series of failed updates matching up to the UPX packed executables being blocked in the SonicWALL.
Anyone have experience with UPX compression? Is this standard practice for AV definitions to come as a packed executable? Or is the burden on SonicWALL here to get a little more detailed?