https://live.paloaltonetworks.com/t5/custom-signatures/custom-antivirus-signatures/m-p/245439#M291 <P>If you had AutoFocus, you can check these hashes to see how we classify them, IOCs related to the file (if malicious), when it was first seen, and if there is any relevance to threat actors, malware campaigns, etc.&nbsp; As a previous posted noted, Palo doesn't do signatures based on hash, as hashes are more unique than the malware itself and it would be inefficient to create hundreds/thousands or more of signatures for different hashes, especially if the underlying malware or virus is the same.&nbsp; Palo cares more about&nbsp; the underlying malicious file and its underlying activity.</P> Thu, 10 Jan 2019 00:18:47 GMT dbilinski 2019-01-10T00:18:47Z https://live.paloaltonetworks.com/t5/custom-signatures/custom-antivirus-signatures/m-p/178320#M204 <P>Is it possible to create custom antivirus signatures?</P><P>Goal is to block files with certain hashes. The original file is not available, only the hash.</P><P>Is there any way to submit hashes to PANW so that they create signatures? (Something similar like for URLs)</P> Fri, 22 Sep 2017 19:12:31 GMT https://live.paloaltonetworks.com/t5/custom-signatures/custom-antivirus-signatures/m-p/178320#M204 Anon1 2017-09-22T19:12:31Z https://live.paloaltonetworks.com/t5/custom-signatures/custom-antivirus-signatures/m-p/178332#M205 <P>If you can send us the hash we can look to try and find the file somewhere else and make a signature if the file is malicious, but we do not do hash based blocks.&nbsp;</P> Fri, 22 Sep 2017 20:39:09 GMT https://live.paloaltonetworks.com/t5/custom-signatures/custom-antivirus-signatures/m-p/178332#M205 tboire 2017-09-22T20:39:09Z https://live.paloaltonetworks.com/t5/custom-signatures/custom-antivirus-signatures/m-p/178339#M206 <P>Hello tboire,</P><P>&nbsp;</P><P>many thanks for your reply. It is regarding a recent ransomware campaign, e.g.</P><P>&nbsp;</P><P>hash:</P><P>0f6ae637a9d15503a0af42be649388f01f8637ca16b15526e318a94b7f34bf6e</P><P>&nbsp;</P><P>Cannot find in PA Threatvault, but Virustotal shows many vendors classify it as malware.</P><P>&nbsp;</P><P>hash:</P><P>39256f126bba17770310c2115586b9f22b858cf15c43ab36bd7cfb18ad63a0c2</P><P>&nbsp;</P><P>Is found in PA Threatvault as malware, but there seems to be no signature (nothing shown regarding which wildfire content update contains a signature to block it).</P><P>&nbsp;</P><P>So the only method would be to get hold of a sample file and upload to Wildfire portal in order to trigger analysis by PA and possibly signature creation?</P><P>&nbsp;</P> Fri, 22 Sep 2017 20:59:13 GMT https://live.paloaltonetworks.com/t5/custom-signatures/custom-antivirus-signatures/m-p/178339#M206 Anon1 2017-09-22T20:59:13Z https://live.paloaltonetworks.com/t5/custom-signatures/custom-antivirus-signatures/m-p/244167#M287 <P>can you check these hashs&nbsp;</P><P>&nbsp;</P><P>New Hashes</P><P>e5bf756d5530ec38ff649b901b3c7506f8556821d979bdcb392237f2ff40daf8<BR />5257f623270b4c5cc471ff35b1bfeec80ab37c7e012da76b50ebd2c4911a43d0<BR />c3ab58b3154e5f5101ba74fccfd27a9ab445e41262cdf47e8cc3be7416a5904f<BR />0694bdf9f08e4f4a09d13b7b5a68c0148ceb3fcc79442f4db2aa19dd23681afe</P><P><BR />Old Hashes</P><P>5203628a89e0a7d9f27757b347118250f5aa6d0685d156e375b6945c8c05eb8a<BR />0266be9130bdf20976fc5490f9191edaafdae09ebe45e74cd97792412454bf0d<BR />d9e52663715902e9ec51a7dd2fea5241c9714976e9541c02df66d1a42a3a7d2a&nbsp;<BR />35ceb84403efa728950d2cc8acb571c61d3a90decaf8b1f2979eaf13811c146b<BR />0975eb436fb4adb9077c8e99ea6d34746807bc83a228b17d321d14dfbbe80b03<BR />391e7b90bf3f0bfeb2c2602cc65aa6be4dd1c01374b89c4a48425f2d22fe231c<BR />6985ef5809d0789eeff623cd2436534b818fd2843f09fa2de2b4a6e2c0e1a879<BR />ccb1209122085bed5bded3f923835a65d3cc1071f7e4ad52bc5cf42057dd2150<BR />dab3308ab60d0d8acb3611bf364e81b63cfb6b4c1783864ebc515297e2297589<BR />bc4513e1ea20e11d00cfc6ce899836e4f18e4b5f5beee52e0ea9942adb78fc70</P><P>&nbsp;</P><BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/715">@Anon1</a>&nbsp;wrote:<BR /><P>Is it possible to create custom antivirus signatures?</P><P>Goal is to block files with certain hashes. The original file is not available, only the hash.</P><P>Is there any way to submit hashes to PANW so that they create signatures? (Something similar like for URLs)</P><HR /></BLOCKQUOTE><P>&nbsp;</P> Thu, 20 Dec 2018 21:08:37 GMT https://live.paloaltonetworks.com/t5/custom-signatures/custom-antivirus-signatures/m-p/244167#M287 Eng-nezar 2018-12-20T21:08:37Z https://live.paloaltonetworks.com/t5/custom-signatures/custom-antivirus-signatures/m-p/245439#M291 <P>If you had AutoFocus, you can check these hashes to see how we classify them, IOCs related to the file (if malicious), when it was first seen, and if there is any relevance to threat actors, malware campaigns, etc.&nbsp; As a previous posted noted, Palo doesn't do signatures based on hash, as hashes are more unique than the malware itself and it would be inefficient to create hundreds/thousands or more of signatures for different hashes, especially if the underlying malware or virus is the same.&nbsp; Palo cares more about&nbsp; the underlying malicious file and its underlying activity.</P> Thu, 10 Jan 2019 00:18:47 GMT https://live.paloaltonetworks.com/t5/custom-signatures/custom-antivirus-signatures/m-p/245439#M291 dbilinski 2019-01-10T00:18:47Z