https://live.paloaltonetworks.com/t5/advanced-threat-prevention/file-getting-blocked-false-positive/m-p/539675#M1920 <P>That is interesting.&nbsp; I submitted the URL of the file to wildfire and that decided it was benign.&nbsp; Do you know if that automatically reclassifies it, or is that just an assessment for information?</P> Fri, 21 Apr 2023 08:32:57 GMT djr 2023-04-21T08:32:57Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/file-getting-blocked-false-positive/m-p/539493#M1914 <P>Can I get assistance on this false positive.<BR /><BR /></P> <TABLE id="antivirus-signatures" class="table table-bordered pan-grid table-hover" data-pagination="true" data-toggle="table" data-pagination-v-align="top" data-reactid=".0.1.1:$VbSpS.1"> <TBODY data-reactid=".0.1.1:$VbSpS.1.1"> <TR data-index="0" data-reactid=".0.1.1:$VbSpS.1.1.0"> <TD data-reactid=".0.1.1:$VbSpS.1.1.0.2"> <DIV data-reactid=".0.1.1:$VbSpS.1.1.0.2.0"> <P class="hash sha256" data-reactid=".0.1.1:$VbSpS.1.1.0.2.0.0">9a27f17d859d7f60a26030c7a0ef3698ffa0ff5ff4230963e52ab79a6a4dacdf</P> </DIV> </TD> </TR> </TBODY> </TABLE> <P><SPAN>Virus/Win32.WGeneric.dyafjk<BR /></SPAN></P> <P class="" data-reactid=".0.1.1:$VbSpS.1.1.0.0.1">Unique Threat ID: 575312775<BR /><SPAN>Create Time: 2023-03-15 02:43:51 (UTC)</SPAN></P> Thu, 20 Apr 2023 07:34:16 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/file-getting-blocked-false-positive/m-p/539493#M1914 Salathiwe 2023-04-20T07:34:16Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/file-getting-blocked-false-positive/m-p/539497#M1915 <P>I have been seeing this since 17th March on downloads of utorrent installer which appear to be legitimate</P> <P>URL:&nbsp;llsw.download3.utorrent.com/3.6.0/utorrent.46738.installer.exe</P> <P>I have raised this with our support partner.</P> Thu, 20 Apr 2023 08:08:23 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/file-getting-blocked-false-positive/m-p/539497#M1915 djr 2023-04-20T08:08:23Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/file-getting-blocked-false-positive/m-p/539516#M1916 <P>Support Partner as in Palo Alto&nbsp; (TAC) ?</P> Thu, 20 Apr 2023 09:51:32 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/file-getting-blocked-false-positive/m-p/539516#M1916 Salathiwe 2023-04-20T09:51:32Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/file-getting-blocked-false-positive/m-p/539528#M1917 <P>It has been raised with TAC via our support partner.&nbsp; I am not getting sensible answers yet from either.</P> Thu, 20 Apr 2023 11:32:33 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/file-getting-blocked-false-positive/m-p/539528#M1917 djr 2023-04-20T11:32:33Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/file-getting-blocked-false-positive/m-p/539529#M1918 <P>I have an answer from TAC that they are confident the file I have queried is malicious.&nbsp; I still find that odd, but that's their assessment.</P> Thu, 20 Apr 2023 11:51:38 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/file-getting-blocked-false-positive/m-p/539529#M1918 djr 2023-04-20T11:51:38Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/file-getting-blocked-false-positive/m-p/539639#M1919 <P>If you suspect that the verdict is incorrect, you can submit a verdict change request.</P> <P>&nbsp;</P> <P>Reference:<BR />- WildFire report incorrect verdict (virus false positive or false negative)<BR /><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm7KCAS" target="_self">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm7KCAS</A></P> Fri, 21 Apr 2023 00:40:31 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/file-getting-blocked-false-positive/m-p/539639#M1919 ymiyashita 2023-04-21T00:40:31Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/file-getting-blocked-false-positive/m-p/539675#M1920 <P>That is interesting.&nbsp; I submitted the URL of the file to wildfire and that decided it was benign.&nbsp; Do you know if that automatically reclassifies it, or is that just an assessment for information?</P> Fri, 21 Apr 2023 08:32:57 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/file-getting-blocked-false-positive/m-p/539675#M1920 djr 2023-04-21T08:32:57Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/file-getting-blocked-false-positive/m-p/539680#M1922 <P>The WildFire verdict of the sample (9a27f17d859d7f60a26030c7a0ef3698ffa0ff5ff4230963e52ab79a6a4dacdf) is still "Malware".<BR />Please go into the report itself and check the verdict and the hash value.</P> <P>If the hash value is different, you may want to submit the sample rather than the URL.</P> Mon, 24 Apr 2023 01:22:41 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/file-getting-blocked-false-positive/m-p/539680#M1922 ymiyashita 2023-04-24T01:22:41Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/file-getting-blocked-false-positive/m-p/539700#M1923 <P>Thank you for pointing that out.&nbsp; I find it odd that on one screen it says Benign, but if you click for details it says it is malicious.&nbsp; The hash does match so it seems they do believe it's bad so blocking it is the right thing to do.&nbsp;</P> <P>&nbsp;</P> <P>Thanks again</P> Fri, 21 Apr 2023 13:11:03 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/file-getting-blocked-false-positive/m-p/539700#M1923 djr 2023-04-21T13:11:03Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/file-getting-blocked-false-positive/m-p/539840#M1924 <P>Ok, thanks for checking the report.</P> <P>&nbsp;</P> <P>By the way, please note that submitting the same sample or the URL of the same sample doesn't trigger the reclassification (especially, when it's uploaded to the same regional cloud), e.g. the WildFire just reuses the existing result.</P> <P>&nbsp;</P> <P>If you submit a verdict change request, then the sample will be re-analyzed by the Palo Alto Networks researcher/engineer manually.</P> Mon, 24 Apr 2023 01:28:54 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/file-getting-blocked-false-positive/m-p/539840#M1924 ymiyashita 2023-04-24T01:28:54Z