https://live.paloaltonetworks.com/t5/next-generation-firewall/pa-firewall-treated-nbss-continuation-message-as-worm-win32/m-p/513419#M333 <P>Hi all,</P> <P>&nbsp;</P> <P>Recently the PA firewall received massive threat alert with family&nbsp;Worm/Win32.vobfus.</P> <P>(Application: ms-ds-smbv3, Port: 445, thr_category: pe)</P> <P>I have submitted the file samples and the files are clean, we also scan the server and there is no virus.</P> <P>Which we confirm this alert is a false positive.</P> <P>&nbsp;</P> <P>Then I take a Threat Packet Capture, PA firewall captures the&nbsp;NBSS Continuation Message.</P> <P>I see the TCP payload is all zero, it that the reason PA treated the&nbsp;NBSS Continuation Message as Worm/Win32.vobfus?</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MarcusLeung_0-1661915171950.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/43452i491A9E87D4D473DA/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="MarcusLeung_0-1661915171950.png" alt="MarcusLeung_0-1661915171950.png" /></span></P> <P>Please help, thank you!<BR /><BR />Regards,</P> <P>Marcus</P> Wed, 31 Aug 2022 03:28:22 GMT MarcusLeung 2022-08-31T03:28:22Z https://live.paloaltonetworks.com/t5/next-generation-firewall/pa-firewall-treated-nbss-continuation-message-as-worm-win32/m-p/513419#M333 <P>Hi all,</P> <P>&nbsp;</P> <P>Recently the PA firewall received massive threat alert with family&nbsp;Worm/Win32.vobfus.</P> <P>(Application: ms-ds-smbv3, Port: 445, thr_category: pe)</P> <P>I have submitted the file samples and the files are clean, we also scan the server and there is no virus.</P> <P>Which we confirm this alert is a false positive.</P> <P>&nbsp;</P> <P>Then I take a Threat Packet Capture, PA firewall captures the&nbsp;NBSS Continuation Message.</P> <P>I see the TCP payload is all zero, it that the reason PA treated the&nbsp;NBSS Continuation Message as Worm/Win32.vobfus?</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MarcusLeung_0-1661915171950.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/43452i491A9E87D4D473DA/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="MarcusLeung_0-1661915171950.png" alt="MarcusLeung_0-1661915171950.png" /></span></P> <P>Please help, thank you!<BR /><BR />Regards,</P> <P>Marcus</P> Wed, 31 Aug 2022 03:28:22 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/pa-firewall-treated-nbss-continuation-message-as-worm-win32/m-p/513419#M333 MarcusLeung 2022-08-31T03:28:22Z https://live.paloaltonetworks.com/t5/next-generation-firewall/pa-firewall-treated-nbss-continuation-message-as-worm-win32/m-p/513436#M341 <P>Well just make a new security rule that matches the source and destination with a new antivirus profilewhere the antivirus signature is dissabled and place is before the current rule that is triggering the false positive.</P> <P>&nbsp;</P> <P>Worm/Win32.vobfus:</P> <P>&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPQgCAO&amp;lang=en_US%E2%80%A9&amp;refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail" target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPQgCAO&amp;lang=en_US%E2%80%A9&amp;refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Exceptions:</P> <P>&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcrCAC" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcrCAC</A></P> <P>&nbsp;</P> <P><A href="https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention/create-threat-exceptions" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention/create-threat-exceptions</A></P> Wed, 31 Aug 2022 19:59:49 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/pa-firewall-treated-nbss-continuation-message-as-worm-win32/m-p/513436#M341 nikoolayy1 2022-08-31T19:59:49Z