Palo Alto Threat Vault AntiVirus Signatures

jmora_aspire — Mon, 25 Mar 2024 18:08:38 GMT

Hi Community!

I wanted to better understand how Palo Alto ties it's detections with its Unique Threat ID to the Wildfire Virus Detections.

For example, we have been receiving a steady amount of alerting for a Virus File and Palo Alto gives us the file name. If I search for the Unique Threat ID, I can see SHA-256's that Palo ties to it.

So my question is, are Palo Alto Virus Detections tied to a file name or can it actually pick up SHA-256's in network connections. Is the association made through the Unique Threat ID accurate? Or can it lead to false positives because it's only detecting based on file name?

Thank you in advance!

Re: Palo Alto Threat Vault AntiVirus Signatures

ymiyashita — Tue, 26 Mar 2024 01:15:16 GMT

Palo Alto Networks' virus detection is not based on the file name nor the SHA-256 hash value. The Antivirus signature is based on a byte pattern that is generated from the malicious sample analyzed by WildFire. On Threat Vault, you see the SHA-256 hashes of the associated malware samples.

Reference:
https://live.paloaltonetworks.com/t5/pancast-episodes/pancast-episode-20-threat-logs-av/ta-p/546632

topic Re: Palo Alto Threat Vault AntiVirus Signatures in Custom Signatures

Palo Alto Threat Vault AntiVirus Signatures

Re: Palo Alto Threat Vault AntiVirus Signatures