https://live.paloaltonetworks.com/t5/custom-signatures/re-01339413/m-p/306793#M337 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/97284">@alal</a>&nbsp;</P><P>&nbsp;</P><P>Looking at the KB you post it seems the OS check comes to regex match in the HTTP header user-agent string.</P><P>As a start I would suggest you to check the regex expression and see if its match what it is expected or it needs to be improved. It will be useful if you can past it here.</P><P>&nbsp;</P><P>Googling around you should be able to find how different OS versions are described in the user-agent string. My first results says:</P><LI-CODE lang="markup">For windows 10 it is Windows NT 10.0 for windows 8 it is 6.2, windows 8.1 it is 6.3 and windows 7 it is 6.1.</LI-CODE><P><A href="https://stackoverflow.com/questions/40218173/user-agent-for-windows-7-vs-8-vs-10" target="_blank">https://stackoverflow.com/questions/40218173/user-agent-for-windows-7-vs-8-vs-10</A></P><P>So the regex expression should look like:</P><LI-CODE lang="markup">User-Agent:.+Windows NT 6\.1</LI-CODE><P>&nbsp;</P><P>This is also very useful site - <A href="http://www.useragentstring.com/" target="_blank">http://www.useragentstring.com/</A></P><P>&nbsp;</P><P>&nbsp;</P> Wed, 15 Jan 2020 09:54:05 GMT aleksandar.astardzhiev 2020-01-15T09:54:05Z https://live.paloaltonetworks.com/t5/custom-signatures/re-01339413/m-p/306778#M336 <P>Hi Team&nbsp;</P><P>&nbsp;</P><P><SPAN>One of my Customer has configured a custom signature to block the windows 7 machine based on Http request headers. This signature is working but hitting a lot of false positives as well. For example, he can see that window 8 and windows 10 also detected by this signature.</SPAN></P><P>&nbsp;</P><P><SPAN>The customer has followed this KB article:&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHeCAK" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHeCAK</A></SPAN></P><P>&nbsp;</P><P>Can you please advise what next can be one&nbsp;</P><P>&nbsp;</P> Wed, 15 Jan 2020 08:58:48 GMT https://live.paloaltonetworks.com/t5/custom-signatures/re-01339413/m-p/306778#M336 alal 2020-01-15T08:58:48Z https://live.paloaltonetworks.com/t5/custom-signatures/re-01339413/m-p/306793#M337 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/97284">@alal</a>&nbsp;</P><P>&nbsp;</P><P>Looking at the KB you post it seems the OS check comes to regex match in the HTTP header user-agent string.</P><P>As a start I would suggest you to check the regex expression and see if its match what it is expected or it needs to be improved. It will be useful if you can past it here.</P><P>&nbsp;</P><P>Googling around you should be able to find how different OS versions are described in the user-agent string. My first results says:</P><LI-CODE lang="markup">For windows 10 it is Windows NT 10.0 for windows 8 it is 6.2, windows 8.1 it is 6.3 and windows 7 it is 6.1.</LI-CODE><P><A href="https://stackoverflow.com/questions/40218173/user-agent-for-windows-7-vs-8-vs-10" target="_blank">https://stackoverflow.com/questions/40218173/user-agent-for-windows-7-vs-8-vs-10</A></P><P>So the regex expression should look like:</P><LI-CODE lang="markup">User-Agent:.+Windows NT 6\.1</LI-CODE><P>&nbsp;</P><P>This is also very useful site - <A href="http://www.useragentstring.com/" target="_blank">http://www.useragentstring.com/</A></P><P>&nbsp;</P><P>&nbsp;</P> Wed, 15 Jan 2020 09:54:05 GMT https://live.paloaltonetworks.com/t5/custom-signatures/re-01339413/m-p/306793#M337 aleksandar.astardzhiev 2020-01-15T09:54:05Z