"Debug mode enabled"" rule is reporting tcpdump as enabled

We are getting occasional issues based on tcpdump enabled where the local engineer insists that tcpdump was not running at the time. The last issue was triggered at 4 AM which is most likely a time where no one was actively working on the respective device.

The issue is triggered when the ind identifies a tcpdump process is in the output of “ps aux”.

Does Checkpoint have a process that might run tcpdump automatically?