https://live.paloaltonetworks.com/t5/advanced-threat-prevention/potential-false-positive-av-for-ms-visualstudio-update/m-p/512723#M1729 <P>Running into a weird problem with VisualStudio update package being detected as a generic virus after recent update to Threat databases. But I can download the indicated file itself just fine. Anybody know what's going on here? Current AV database 4184-4697:</P> <P>&nbsp;</P> <P>File "Microsoft.VisualStudio.Platform.Terminal.vsix" downloaded from <A href="https://download.visualstudio.microsoft.com" target="_blank">https://download.visualstudio.microsoft.com</A>&nbsp;- 93.184.215.201 detected as Threat ID:&nbsp;<SPAN>531713060 -&nbsp;</SPAN><SPAN>Virus/Win32.WGeneric.djpjyt when downloaded using MS update installer. Initial signature in Wildfire database release 8/19 691333, current signature in AV database release 8/22 4184.&nbsp;</SPAN>Threat database shows sha256: hash&nbsp;<SPAN>965ab738c1ad0b3e17e19ca1bf3a967ba1f9dfc75778391991e4734886116139.</SPAN></P> <P>&nbsp;</P> <P>VisualStudio update installer v16.11.18 released 8/9 from: <A href="https://docs.microsoft.com/en-us/visualstudio/releases/2019/history" target="_blank">https://docs.microsoft.com/en-us/visualstudio/releases/2019/history</A>&nbsp;The update installer spits out following error which coincides with indicated file being block in PA as a threat:</P> <LI-CODE lang="markup">Package 'Microsoft.VisualStudio.Platform.Terminal,version=16.11.51.30345' failed to download from 'https://download.visualstudio.microsoft.com/download/pr/03852310-e601-439d-8ed5-6836f38ccc59/1a86f8b01f3829e5faf06e0070ddcdca8841dc039d345197744f0cbf27eed935/Microsoft.VisualStudio.Platform.Terminal.vsix'.</LI-CODE> <P>&nbsp;</P> <P>Manually downloading the blocked file URL in a browser reults in valid file - not blocked by PA. Downloaded file appears correct and has sha256 hash of&nbsp;<SPAN>200637e3e58adc654c788cc9ce5b4e63177571f3. Update installer fails as it can never successfully download this file (and haven't been able to find a way to insert separately downloaded file into update process).</SPAN></P> <P>&nbsp;</P> <P><SPAN>Anyone know why the file is being blocked in the update process but not separately? I can think of a couple reasons but they all seem highly unlikely given the download source.</SPAN></P> Tue, 23 Aug 2022 18:29:42 GMT Adrian_Jensen 2022-08-23T18:29:42Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/potential-false-positive-av-for-ms-visualstudio-update/m-p/512723#M1729 <P>Running into a weird problem with VisualStudio update package being detected as a generic virus after recent update to Threat databases. But I can download the indicated file itself just fine. Anybody know what's going on here? Current AV database 4184-4697:</P> <P>&nbsp;</P> <P>File "Microsoft.VisualStudio.Platform.Terminal.vsix" downloaded from <A href="https://download.visualstudio.microsoft.com" target="_blank">https://download.visualstudio.microsoft.com</A>&nbsp;- 93.184.215.201 detected as Threat ID:&nbsp;<SPAN>531713060 -&nbsp;</SPAN><SPAN>Virus/Win32.WGeneric.djpjyt when downloaded using MS update installer. Initial signature in Wildfire database release 8/19 691333, current signature in AV database release 8/22 4184.&nbsp;</SPAN>Threat database shows sha256: hash&nbsp;<SPAN>965ab738c1ad0b3e17e19ca1bf3a967ba1f9dfc75778391991e4734886116139.</SPAN></P> <P>&nbsp;</P> <P>VisualStudio update installer v16.11.18 released 8/9 from: <A href="https://docs.microsoft.com/en-us/visualstudio/releases/2019/history" target="_blank">https://docs.microsoft.com/en-us/visualstudio/releases/2019/history</A>&nbsp;The update installer spits out following error which coincides with indicated file being block in PA as a threat:</P> <LI-CODE lang="markup">Package 'Microsoft.VisualStudio.Platform.Terminal,version=16.11.51.30345' failed to download from 'https://download.visualstudio.microsoft.com/download/pr/03852310-e601-439d-8ed5-6836f38ccc59/1a86f8b01f3829e5faf06e0070ddcdca8841dc039d345197744f0cbf27eed935/Microsoft.VisualStudio.Platform.Terminal.vsix'.</LI-CODE> <P>&nbsp;</P> <P>Manually downloading the blocked file URL in a browser reults in valid file - not blocked by PA. Downloaded file appears correct and has sha256 hash of&nbsp;<SPAN>200637e3e58adc654c788cc9ce5b4e63177571f3. Update installer fails as it can never successfully download this file (and haven't been able to find a way to insert separately downloaded file into update process).</SPAN></P> <P>&nbsp;</P> <P><SPAN>Anyone know why the file is being blocked in the update process but not separately? I can think of a couple reasons but they all seem highly unlikely given the download source.</SPAN></P> Tue, 23 Aug 2022 18:29:42 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/potential-false-positive-av-for-ms-visualstudio-update/m-p/512723#M1729 Adrian_Jensen 2022-08-23T18:29:42Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/potential-false-positive-av-for-ms-visualstudio-update/m-p/512762#M1730 <P>The corresponding sha256 hash is 1a86f8b01f3829e5faf06e0070ddcdca8841dc039d345197744f0cbf27eed935 (SHA-1: 200637e3e58adc654c788cc9ce5b4e63177571f3). The WildFire verdict of this sample is benign. (ThreatVault doesn't have this information, though). If you upload the sample to the WildFire cloud, you can find the verdict also.</P> <P>&nbsp;</P> <P>This is most likely a False Positive caused by signature collision.<BR />Reference: What is an Antivirus collision in the case of a False Positive, and how can we deal with it?<BR /><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClWICA0" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClWICA0</A></P> <P>&nbsp;</P> <P>I would suggest to add an exception on the firewall temporarily for the update to succeed.<BR />Reference: How to Use Anti-Spyware, Vulnerability and Antivirus Exceptions to Block or Allow Threats<BR /><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcrCAC" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcrCAC</A></P> <P>&nbsp;</P> <P>I guess the manual downloading with a browser succeeded because it uses a partial download using http range header. It may also depend on how the security policy &amp; profile are configured on the firewall.</P> Wed, 24 Aug 2022 02:43:55 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/potential-false-positive-av-for-ms-visualstudio-update/m-p/512762#M1730 ymiyashita 2022-08-24T02:43:55Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/potential-false-positive-av-for-ms-visualstudio-update/m-p/512763#M1731 <P>Ooops... you are correct, gave the SHA1 hash instead of the SHA256... trying to do it on a Windows PC instead of a Linux PC I'm more familiar with.</P> <P>&nbsp;</P> <P>Yeah, our Infosec is currently going over it. Biggest problem is that we haven't been able to replicate it/have a download Infosec can confirm is a false positive via other tools. The VisualStudio installer tool is triggering the alert repeatedly when it downloads the file on some machines, but we don't get the alert using the same installer on other machines. We are unsure if the installer pulling different files or giving different arguments to the download server, which results in a slightly different file downloads. Wildfire says the file is benign, but the SHA256 hash is different than the manual download, so the question becomes, is the server providing different versions of the same file?</P> <P>&nbsp;</P> <P>We are doing full decryption with AV/threat/wildfire/URL filtering on all the affected traffic. As you suggest, I think it is most likely a signature collision, but it our high security environment we are hesitant to give a signature bypass without a testable confirmation of benign-ness.</P> Wed, 24 Aug 2022 03:45:44 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/potential-false-positive-av-for-ms-visualstudio-update/m-p/512763#M1731 Adrian_Jensen 2022-08-24T03:45:44Z