topic Re: DNS Signatures in Advanced Threat Prevention Discussions

DNS Signatures

Jared_Hainline — Fri, 10 Feb 2023 17:52:09 GMT

Our Palo started blocking a 3rd party site that is used by our organization. It was being sinkholed. I found the threat ID and it appears that it was tagged as virus/spyware. Short of allowing an exception for this one threat ID, is there any other action that can be taken to have palo re-evaluate and create a new signature that would deem the site ok?

I am also happy to inform the users to use a different site if it really is a threat.

Re: DNS Signatures

Raido_Rattameister — Fri, 10 Feb 2023 18:43:27 GMT

Is site categorized as malware?

You can request recategorization at https://urlfiltering.paloaltonetworks.com/

If it is identified by vulnerability signatures then you can open support case with Palo and provide packet capture.

Re: DNS Signatures

Jared_Hainline — Fri, 10 Feb 2023 19:02:16 GMT

According to the threat vault, it is listed under DNS Signatures, type is AntiVirus and wildfire. So, the domain got sinkholed. We don't have the URL filtering license so that wasn't a possibility.

I know I can create an exception for this specific Threat ID. But if it is a true threat, don't really want to do that. If the threat ID says that it's Antivirus/WildFire. How would we get it re-examined? Does this mean that virus activity was detected on the domain name and that's why the DNS signature was made?

Re: DNS Signatures

Raido_Rattameister — Fri, 10 Feb 2023 19:09:03 GMT

https://threatvault.paloaltonetworks.com/ shows you when this threat id was generated.

Most likely it was auto generated by Wildfire sandbox.

Either false positive or someone actually downloaded malicious file from the website and caused website to be tagged as malware site.

Re: DNS Signatures

Jared_Hainline — Fri, 10 Feb 2023 19:11:16 GMT

Yeah, so, how would I go about verifying which one it is? If it's a false positive, then that needs to be corrected. If not, then I don't want to add an exception to permit this domain.

Re: DNS Signatures

Raido_Rattameister — Fri, 10 Feb 2023 19:18:37 GMT

Open support case with Palo.

https://support.paloaltonetworks.com/

Re: DNS Signatures

ymiyashita — Mon, 13 Feb 2023 01:40:30 GMT

I suggest opening a support case.
Whether it's False positive or True positive really depends on the signature (the unique threat ID is necessary for further investigation).

Re: DNS Signatures

Jared_Hainline — Mon, 13 Feb 2023 18:26:16 GMT

I opened up a support case and they had already deactivated the signature. I removed the signature exception and found that the domain was still working. It's good to know that I can just open a support case to get false positives looked at. In the 8 years as a Palo customer, I have never ran into this before.