https://live.paloaltonetworks.com/t5/advanced-threat-prevention/threatid-81845-generic-php-webshell-file-detection-false/m-p/485084#M1615 <P>I did a revert of Aplications and Threats to the previous version 8564</P> Thu, 05 May 2022 06:36:40 GMT janekpalo 2022-05-05T06:36:40Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/threatid-81845-generic-php-webshell-file-detection-false/m-p/484588#M1605 <P>Anyone else seeing a large number of threat alerts this morning for the new generic signatures added last night? Seeing dozens this morning coming from user document downloads from a trusted financial source. I haven't fully decrypted the data yet, but appears to be false positives. Anyone know exactly what all these new critical threat signatures are suppose to be targeting?</P> Tue, 03 May 2022 18:17:11 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/threatid-81845-generic-php-webshell-file-detection-false/m-p/484588#M1605 Adrian_Jensen 2022-05-03T18:17:11Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/threatid-81845-generic-php-webshell-file-detection-false/m-p/484645#M1606 <P>After collecting a bunch of data, it looks like all the 81845 signature hits have a single thing in common, a base64 encoded string of ASCII "2" characters in a row (in the middle of apparent binary data).</P> Tue, 03 May 2022 20:26:05 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/threatid-81845-generic-php-webshell-file-detection-false/m-p/484645#M1606 Adrian_Jensen 2022-05-03T20:26:05Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/threatid-81845-generic-php-webshell-file-detection-false/m-p/484688#M1607 <P>I extracted the packet dumps and compared across multiple different sites triggering the alert. The common string is a 622 byte JFIF v1.01 background image file with the "22222" string in it (more likely all pixels in a color channel set to the same value). The file seems to have a few anomalies, but I am not an expert on JFIF formatting. Nothing obviously wrong in the image and certainly not "PHP Webshell" code. The extracted JFIF file, by itself, triggers 81845 when passed thru the PA.</P> Tue, 03 May 2022 22:38:14 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/threatid-81845-generic-php-webshell-file-detection-false/m-p/484688#M1607 Adrian_Jensen 2022-05-03T22:38:14Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/threatid-81845-generic-php-webshell-file-detection-false/m-p/484701#M1608 <P>I am also seeing the same behavior on .aspx files to a selected website (prod/dev/test) flagging&nbsp;<SPAN>81845.</SPAN></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 04 May 2022 00:13:15 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/threatid-81845-generic-php-webshell-file-detection-false/m-p/484701#M1608 RyanMinty 2022-05-04T00:13:15Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/threatid-81845-generic-php-webshell-file-detection-false/m-p/484724#M1609 <P>I have been seeing false positives on 81845 too. I have been carrying out exchange to 365 migrations for a week now fine, but for nearly a day I have been having transfers failing and lots of alerts(several times a minute) from our PAN showing 81845 threats being triggered. Given that our MS Exchange definitely is not using PHP it should not be getting caught on this one.<BR />When I stop migrations, the alerts stop.</P><P>So this threat definition probably needs some tweaking to cut down on the false positives.</P> Wed, 04 May 2022 05:07:37 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/threatid-81845-generic-php-webshell-file-detection-false/m-p/484724#M1609 Hindmarsh 2022-05-04T05:07:37Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/threatid-81845-generic-php-webshell-file-detection-false/m-p/484772#M1610 <P>Looks like its been updated from last content update</P><P>&nbsp;</P><P>Applications and Threats Content Release Notes - Version 8565</P><P>&nbsp;</P><P>Modified Anti-Spyware Signatures (1)<BR />Severity ID Attack Name Category Default Action Change Minimum PAN-OS Version Maximum PAN-OS Version<BR />critical 81845 Generic PHP Webshell File Detection webshell reset-both improved detection logic to address a possible fp issue 8.1.0</P> Wed, 04 May 2022 09:35:56 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/threatid-81845-generic-php-webshell-file-detection-false/m-p/484772#M1610 RyanMinty 2022-05-04T09:35:56Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/threatid-81845-generic-php-webshell-file-detection-false/m-p/484805#M1611 <P><STRONG>I also have this problem id 81845 (severity Critical) with user connections to the local web server on port 443 (web-browsing) and action reset-server.</STRONG></P> Wed, 04 May 2022 12:33:01 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/threatid-81845-generic-php-webshell-file-detection-false/m-p/484805#M1611 janekpalo 2022-05-04T12:33:01Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/threatid-81845-generic-php-webshell-file-detection-false/m-p/485007#M1612 <P>I created an anti-spyware profile with an exception for 81845 and applied it to the necessary policies until this is corrected/fine tuned.</P> Wed, 04 May 2022 20:41:03 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/threatid-81845-generic-php-webshell-file-detection-false/m-p/485007#M1612 Gareth-Doyle 2022-05-04T20:41:03Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/threatid-81845-generic-php-webshell-file-detection-false/m-p/485008#M1613 <P>The 8565 update to Applications and Threats database has fixed the issue for me so far. My test file is no longer triggering the alert.</P><P>&nbsp;</P><P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/159572">@Gareth-Doyle</a>&nbsp;Has you PA applied the update yet?</P> Wed, 04 May 2022 20:49:45 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/threatid-81845-generic-php-webshell-file-detection-false/m-p/485008#M1613 Adrian_Jensen 2022-05-04T20:49:45Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/threatid-81845-generic-php-webshell-file-detection-false/m-p/485044#M1614 <P>The update fixed the multiple issues I had. Rolling back the custom AS policy now <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 04 May 2022 22:57:31 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/threatid-81845-generic-php-webshell-file-detection-false/m-p/485044#M1614 RyanMinty 2022-05-04T22:57:31Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/threatid-81845-generic-php-webshell-file-detection-false/m-p/485084#M1615 <P>I did a revert of Aplications and Threats to the previous version 8564</P> Thu, 05 May 2022 06:36:40 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/threatid-81845-generic-php-webshell-file-detection-false/m-p/485084#M1615 janekpalo 2022-05-05T06:36:40Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/threatid-81845-generic-php-webshell-file-detection-false/m-p/485503#M1616 <P><SPAN>Latest Updates The signature 81845 has been revised to address the false positive issue and released on 05/03/2022 with the content update 8565.<BR />This issue should be resolved if you update to content 8565 or higher.&nbsp;</SPAN></P> <P>&nbsp;</P> Fri, 06 May 2022 21:02:22 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/threatid-81845-generic-php-webshell-file-detection-false/m-p/485503#M1616 dparris 2022-05-06T21:02:22Z