topic Re: Virus alerts on odd files in July 2023 in Advanced Threat Prevention Discussions

Virus alerts on odd files in July 2023

Jeromey-Lanvera — Wed, 26 Jul 2023 16:32:12 GMT

Our SIEM has received several virus alerts from the Palo firewall since mid July. The AV or Wildfire has flagged Adobe and Microsoft files. And now a web site for for a digital transformation and process company smartupload.sutherlandglobal.com. Alerts include:

Virus/Win32.WGeneric.dzuhnx(#s removed) was detected at Microsoft.VisualStudio.Web.Scaffolding.vsix

Virus/Win32.pioneer.uzd(#s removed) was detected at VulcanMessage5.dll

Dropper/Win32.fiy.clu(#s removed) was detected at AGMService.exe

Has anyone else seen this odd behaviour lately?

Re: Virus alerts on odd files in July 2023

Adrian_Jensen — Wed, 26 Jul 2023 18:42:46 GMT

Yes, have seen the same for the last two. Appears to be a false positive which was finally removed.

Threat ID 593953851 - Dropper/Win32.fiy.clu was entered into the AV database on or about 7/18. On 7/19 it started constantly flagging the Adobe Photoshop update process trying to download AGMService.exe. The AV database entry completely disappeared on 7/20 like it never existed...

This was then followed by Threat ID 595725048 - Virus/Win32.mikcer.flsd which was entered into the AV database sometime on or before 7/20. It flagged the same AGMService.exe file from Adobe. The AV database entry was updated at some point around 7/21 and stopped detecting the Adobe file, but the database doesn't give the initial release date... just a 7/25 current release update.

Threat ID 595101261 - Virus/Win32.pioneer.uzd was entered into the Wildfire database on 7/18 and the main AV database on 7/20 (I think). On 7/21 it started constantly flagging Adobe Photoshop update processes trying to download VulcanMessage5.dll file. The Wildfire database entry is no longer active (as of yesterday?), the AV database entry has completely disappeared yesterday like it never existed.

Overall... yeah not happy with PA as they keep having these false positive database entries that have all their information wiped like they never happened, instead of showing the true initial release and withdrawal dates....

Re: Virus alerts on odd files in July 2023

KianMarsh — Mon, 21 Aug 2023 05:54:11 GMT

False Positives: Sometimes, security tools can mistakenly flag legitimate files as malicious. Given the nature of the flagged files (associated with Microsoft and Adobe), this is a possibility. Infected Source: There's a chance you've downloaded the software from a non-official or compromised source. Outdated Signatures: The threat database or signatures of your security tools might be outdated, leading to incorrect flagging. I haven't personally seen these specific flags recently, but I would advise: Ensure you're downloading software and updates only from official sources. Update your security tools and their signatures. Check with the vendors (Adobe, Microsoft, Sutherland Global) for any known issues. If you're part of a larger organization or network, reach out on security forums or groups related to Palo Alto Networks for shared experiences.