https://live.paloaltonetworks.com/t5/advanced-threat-prevention/wildfire-virus-threatid-602574714-false-positive/m-p/557326#M1995 <P>Good Morning,</P> <P>Has anyone had WildFire-Virus threat events with the following&nbsp; threat ID:602574714 ?</P> <P>&nbsp;</P> <SECTION data-reactid=".0.1.1:$Bar38"> <H3 data-reactid=".0.1.1:$Bar38.0"><SPAN data-reactid=".0.1.1:$Bar38.0.0">Antivirus Signatures&nbsp;</SPAN></H3> <DIV class="bootstrap-table"> <DIV class="fixed-table-toolbar"><SPAN>Showing 1 to 1 of 1 rows</SPAN></DIV> <DIV class="fixed-table-container"> <DIV class="fixed-table-body"> <TABLE id="antivirus-signatures" class="table table-bordered pan-grid table-hover" data-pagination="true" data-toggle="table" data-pagination-v-align="top" data-reactid=".0.1.1:$Bar38.1"> <THEAD data-reactid=".0.1.1:$Bar38.1.0"> <TR> <TH tabindex="0" data-field="0"> <DIV class="th-inner ">Signature</DIV> <DIV class="fht-cell">&nbsp;</DIV> </TH> <TH tabindex="0" data-field="1"> <DIV class="th-inner ">Release</DIV> <DIV class="fht-cell">&nbsp;</DIV> </TH> <TH tabindex="0" data-field="2"> <DIV class="th-inner "><SPAN data-reactid=".0.1.1:$Bar38.1.0.0.2.0">Hashes<SPAN class="pull-right" data-reactid=".0.1.1:$Bar38.1.0.0.2.0.1"><BUTTON class="file-hash-ctrl btn btn-xs btn-info" type="button" data-reactid=".0.1.1:$Bar38.1.0.0.2.0.1.0">sha256</BUTTON></SPAN></SPAN></DIV> <DIV class="fht-cell">&nbsp;</DIV> </TH> </TR> </THEAD> <TBODY data-reactid=".0.1.1:$Bar38.1.1"> <TR data-index="0" data-reactid=".0.1.1:$Bar38.1.1.0"> <TD data-reactid=".0.1.1:$Bar38.1.1.0.0"> <P class="" data-reactid=".0.1.1:$Bar38.1.1.0.0.0">Name: Virus/Win32.WGeneric.ebefcf</P> <P class="" data-reactid=".0.1.1:$Bar38.1.1.0.0.1">Unique Threat ID: 602574714</P> <P class="" data-reactid=".0.1.1:$Bar38.1.1.0.0.2">Create Time: 2023-08-31 10:08:10 (UTC)</P> </TD> <TD data-reactid=".0.1.1:$Bar38.1.1.0.1"> <P class="" data-reactid=".0.1.1:$Bar38.1.1.0.1.0">Threat ID: n/a</P> <P class="" data-reactid=".0.1.1:$Bar38.1.1.0.1.1">Current Release: n/a</P> <P class="" data-reactid=".0.1.1:$Bar38.1.1.0.1.2">First Release: n/a</P> </TD> <TD data-reactid=".0.1.1:$Bar38.1.1.0.2"> <DIV data-reactid=".0.1.1:$Bar38.1.1.0.2.0"> <P class="hash sha256" data-reactid=".0.1.1:$Bar38.1.1.0.2.0.0">21219d0038484fdd61b220f7d30b774b6216426f80fc8b2855032c5984410b65</P> </DIV> </TD> </TR> </TBODY> </TABLE> </DIV> </DIV> </DIV> <DIV class="clearfix"><SPAN>WildFire Signatures</SPAN><SPAN>&nbsp;</SPAN></DIV> </SECTION> <SECTION data-reactid=".0.1.1:$BBjyC"> <DIV class="bootstrap-table"> <DIV class="fixed-table-toolbar"><SPAN>Showing 1 to 1 of 1 rows</SPAN></DIV> <DIV class="fixed-table-container"> <DIV class="fixed-table-body"> <TABLE id="wildfire-signatures" class="table table-bordered pan-grid table-hover" data-pagination="true" data-toggle="table" data-pagination-v-align="top" data-reactid=".0.1.1:$BBjyC.1"> <THEAD data-reactid=".0.1.1:$BBjyC.1.0"> <TR> <TH tabindex="0" data-field="0"> <DIV class="th-inner ">Signature</DIV> <DIV class="fht-cell">&nbsp;</DIV> </TH> <TH tabindex="0" data-field="1"> <DIV class="th-inner "><SPAN data-reactid=".0.1.1:$BBjyC.1.0.0.1.0">Release<SPAN class="pull-right" data-reactid=".0.1.1:$BBjyC.1.0.0.1.0.1"><BUTTON class="tabbed-header-ctrl btn btn-xs btn-info" type="button" data-reactid=".0.1.1:$BBjyC.1.0.0.1.0.1.0">Post-7.1</BUTTON></SPAN></SPAN></DIV> <DIV class="fht-cell">&nbsp;</DIV> </TH> <TH tabindex="0" data-field="2"> <DIV class="th-inner "><SPAN data-reactid=".0.1.1:$BBjyC.1.0.0.2.0">Hashes<SPAN class="pull-right" data-reactid=".0.1.1:$BBjyC.1.0.0.2.0.1"><BUTTON class="file-hash-ctrl btn btn-xs btn-info" type="button" data-reactid=".0.1.1:$BBjyC.1.0.0.2.0.1.0">sha256</BUTTON></SPAN></SPAN></DIV> <DIV class="fht-cell">&nbsp;</DIV> </TH> </TR> </THEAD> <TBODY data-reactid=".0.1.1:$BBjyC.1.1"> <TR data-index="0" data-reactid=".0.1.1:$BBjyC.1.1.0"> <TD data-reactid=".0.1.1:$BBjyC.1.1.0.0"> <P class="" data-reactid=".0.1.1:$BBjyC.1.1.0.0.0">Name: Virus/Win32.WGeneric.ebefcf</P> <P class="tabbed-header Post-71" data-reactid=".0.1.1:$BBjyC.1.1.0.0.1">Unique Threat ID: 602574714</P> <P class="" data-reactid=".0.1.1:$BBjyC.1.1.0.0.2">Create Time: 2023-08-31 10:08:10 (UTC)</P> </TD> <TD data-reactid=".0.1.1:$BBjyC.1.1.0.1"> <P class="tabbed-header Post-71" data-reactid=".0.1.1:$BBjyC.1.1.0.1.0">Threat ID: n/a</P> <P class="tabbed-header Post-71" data-reactid=".0.1.1:$BBjyC.1.1.0.1.1">Current Release: n/a</P> <P class="tabbed-header Post-71" data-reactid=".0.1.1:$BBjyC.1.1.0.1.2">First Release: 799306 (2023-08-31 UTC)</P> </TD> <TD data-reactid=".0.1.1:$BBjyC.1.1.0.2"> <DIV data-reactid=".0.1.1:$BBjyC.1.1.0.2.0"> <P class="hash sha256" data-reactid=".0.1.1:$BBjyC.1.1.0.2.0.0">21219d0038484fdd61b220f7d30b774b6216426f80fc8b2855032c5984410b65</P> </DIV> </TD> </TR> </TBODY> </TABLE> </DIV> </DIV> </DIV> </SECTION> <P>&nbsp;</P> <P>Since a few days we see a large number of alerts about threats detected by wildfire-virus related to traffic detected as ms-update application or web-browsing default action reset-both . Downloaded files are java script files : syntax taskpane_xxxxxxxxxxxxxxx.js, badz index_xxxxxxxxxxxxxxxxxxxxxxx.js.<BR />The public IP addresses they connect to are mainly akamaitechnoligies.com or others, but after checking them on Virus Total or Cisco Talos they do not show any threats.<BR />Has anyone observed similar events on the Palo Alto Firewall ?</P> <P>&nbsp;</P> <P>Best Regards</P> <P>&nbsp;</P> Mon, 11 Sep 2023 09:22:10 GMT janekpalo 2023-09-11T09:22:10Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/wildfire-virus-threatid-602574714-false-positive/m-p/557326#M1995 <P>Good Morning,</P> <P>Has anyone had WildFire-Virus threat events with the following&nbsp; threat ID:602574714 ?</P> <P>&nbsp;</P> <SECTION data-reactid=".0.1.1:$Bar38"> <H3 data-reactid=".0.1.1:$Bar38.0"><SPAN data-reactid=".0.1.1:$Bar38.0.0">Antivirus Signatures&nbsp;</SPAN></H3> <DIV class="bootstrap-table"> <DIV class="fixed-table-toolbar"><SPAN>Showing 1 to 1 of 1 rows</SPAN></DIV> <DIV class="fixed-table-container"> <DIV class="fixed-table-body"> <TABLE id="antivirus-signatures" class="table table-bordered pan-grid table-hover" data-pagination="true" data-toggle="table" data-pagination-v-align="top" data-reactid=".0.1.1:$Bar38.1"> <THEAD data-reactid=".0.1.1:$Bar38.1.0"> <TR> <TH tabindex="0" data-field="0"> <DIV class="th-inner ">Signature</DIV> <DIV class="fht-cell">&nbsp;</DIV> </TH> <TH tabindex="0" data-field="1"> <DIV class="th-inner ">Release</DIV> <DIV class="fht-cell">&nbsp;</DIV> </TH> <TH tabindex="0" data-field="2"> <DIV class="th-inner "><SPAN data-reactid=".0.1.1:$Bar38.1.0.0.2.0">Hashes<SPAN class="pull-right" data-reactid=".0.1.1:$Bar38.1.0.0.2.0.1"><BUTTON class="file-hash-ctrl btn btn-xs btn-info" type="button" data-reactid=".0.1.1:$Bar38.1.0.0.2.0.1.0">sha256</BUTTON></SPAN></SPAN></DIV> <DIV class="fht-cell">&nbsp;</DIV> </TH> </TR> </THEAD> <TBODY data-reactid=".0.1.1:$Bar38.1.1"> <TR data-index="0" data-reactid=".0.1.1:$Bar38.1.1.0"> <TD data-reactid=".0.1.1:$Bar38.1.1.0.0"> <P class="" data-reactid=".0.1.1:$Bar38.1.1.0.0.0">Name: Virus/Win32.WGeneric.ebefcf</P> <P class="" data-reactid=".0.1.1:$Bar38.1.1.0.0.1">Unique Threat ID: 602574714</P> <P class="" data-reactid=".0.1.1:$Bar38.1.1.0.0.2">Create Time: 2023-08-31 10:08:10 (UTC)</P> </TD> <TD data-reactid=".0.1.1:$Bar38.1.1.0.1"> <P class="" data-reactid=".0.1.1:$Bar38.1.1.0.1.0">Threat ID: n/a</P> <P class="" data-reactid=".0.1.1:$Bar38.1.1.0.1.1">Current Release: n/a</P> <P class="" data-reactid=".0.1.1:$Bar38.1.1.0.1.2">First Release: n/a</P> </TD> <TD data-reactid=".0.1.1:$Bar38.1.1.0.2"> <DIV data-reactid=".0.1.1:$Bar38.1.1.0.2.0"> <P class="hash sha256" data-reactid=".0.1.1:$Bar38.1.1.0.2.0.0">21219d0038484fdd61b220f7d30b774b6216426f80fc8b2855032c5984410b65</P> </DIV> </TD> </TR> </TBODY> </TABLE> </DIV> </DIV> </DIV> <DIV class="clearfix"><SPAN>WildFire Signatures</SPAN><SPAN>&nbsp;</SPAN></DIV> </SECTION> <SECTION data-reactid=".0.1.1:$BBjyC"> <DIV class="bootstrap-table"> <DIV class="fixed-table-toolbar"><SPAN>Showing 1 to 1 of 1 rows</SPAN></DIV> <DIV class="fixed-table-container"> <DIV class="fixed-table-body"> <TABLE id="wildfire-signatures" class="table table-bordered pan-grid table-hover" data-pagination="true" data-toggle="table" data-pagination-v-align="top" data-reactid=".0.1.1:$BBjyC.1"> <THEAD data-reactid=".0.1.1:$BBjyC.1.0"> <TR> <TH tabindex="0" data-field="0"> <DIV class="th-inner ">Signature</DIV> <DIV class="fht-cell">&nbsp;</DIV> </TH> <TH tabindex="0" data-field="1"> <DIV class="th-inner "><SPAN data-reactid=".0.1.1:$BBjyC.1.0.0.1.0">Release<SPAN class="pull-right" data-reactid=".0.1.1:$BBjyC.1.0.0.1.0.1"><BUTTON class="tabbed-header-ctrl btn btn-xs btn-info" type="button" data-reactid=".0.1.1:$BBjyC.1.0.0.1.0.1.0">Post-7.1</BUTTON></SPAN></SPAN></DIV> <DIV class="fht-cell">&nbsp;</DIV> </TH> <TH tabindex="0" data-field="2"> <DIV class="th-inner "><SPAN data-reactid=".0.1.1:$BBjyC.1.0.0.2.0">Hashes<SPAN class="pull-right" data-reactid=".0.1.1:$BBjyC.1.0.0.2.0.1"><BUTTON class="file-hash-ctrl btn btn-xs btn-info" type="button" data-reactid=".0.1.1:$BBjyC.1.0.0.2.0.1.0">sha256</BUTTON></SPAN></SPAN></DIV> <DIV class="fht-cell">&nbsp;</DIV> </TH> </TR> </THEAD> <TBODY data-reactid=".0.1.1:$BBjyC.1.1"> <TR data-index="0" data-reactid=".0.1.1:$BBjyC.1.1.0"> <TD data-reactid=".0.1.1:$BBjyC.1.1.0.0"> <P class="" data-reactid=".0.1.1:$BBjyC.1.1.0.0.0">Name: Virus/Win32.WGeneric.ebefcf</P> <P class="tabbed-header Post-71" data-reactid=".0.1.1:$BBjyC.1.1.0.0.1">Unique Threat ID: 602574714</P> <P class="" data-reactid=".0.1.1:$BBjyC.1.1.0.0.2">Create Time: 2023-08-31 10:08:10 (UTC)</P> </TD> <TD data-reactid=".0.1.1:$BBjyC.1.1.0.1"> <P class="tabbed-header Post-71" data-reactid=".0.1.1:$BBjyC.1.1.0.1.0">Threat ID: n/a</P> <P class="tabbed-header Post-71" data-reactid=".0.1.1:$BBjyC.1.1.0.1.1">Current Release: n/a</P> <P class="tabbed-header Post-71" data-reactid=".0.1.1:$BBjyC.1.1.0.1.2">First Release: 799306 (2023-08-31 UTC)</P> </TD> <TD data-reactid=".0.1.1:$BBjyC.1.1.0.2"> <DIV data-reactid=".0.1.1:$BBjyC.1.1.0.2.0"> <P class="hash sha256" data-reactid=".0.1.1:$BBjyC.1.1.0.2.0.0">21219d0038484fdd61b220f7d30b774b6216426f80fc8b2855032c5984410b65</P> </DIV> </TD> </TR> </TBODY> </TABLE> </DIV> </DIV> </DIV> </SECTION> <P>&nbsp;</P> <P>Since a few days we see a large number of alerts about threats detected by wildfire-virus related to traffic detected as ms-update application or web-browsing default action reset-both . Downloaded files are java script files : syntax taskpane_xxxxxxxxxxxxxxx.js, badz index_xxxxxxxxxxxxxxxxxxxxxxx.js.<BR />The public IP addresses they connect to are mainly akamaitechnoligies.com or others, but after checking them on Virus Total or Cisco Talos they do not show any threats.<BR />Has anyone observed similar events on the Palo Alto Firewall ?</P> <P>&nbsp;</P> <P>Best Regards</P> <P>&nbsp;</P> Mon, 11 Sep 2023 09:22:10 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/wildfire-virus-threatid-602574714-false-positive/m-p/557326#M1995 janekpalo 2023-09-11T09:22:10Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/wildfire-virus-threatid-602574714-false-positive/m-p/557535#M1996 <P>It was a False Positive. The signature (TID: 602574714) was already disabled.</P> Tue, 12 Sep 2023 11:05:03 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/wildfire-virus-threatid-602574714-false-positive/m-p/557535#M1996 ymiyashita 2023-09-12T11:05:03Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/wildfire-virus-threatid-602574714-false-positive/m-p/560559#M2022 <P>It is still live in the threat vault and our firewall is preventing updates. We don't want to add any sort of exception until we get an official response from Palo Alto that this isn't another solarwinds style situation.</P> Wed, 04 Oct 2023 16:27:08 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/wildfire-virus-threatid-602574714-false-positive/m-p/560559#M2022 NorcoIT 2023-10-04T16:27:08Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/wildfire-virus-threatid-602574714-false-positive/m-p/560587#M2023 <P>looks like in our version of panorama there is a bug that keeps old detections in the cache. we have resolved this<BR /><BR /><A href="https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-release-notes/pan-os-10-2-3-known-and-addressed-issues/pan-os-10-2-3-addressed-issues" target="_blank">https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-release-notes/pan-os-10-2-3-known-and-addressed-issues/pan-os-10-2-3-addressed-issues</A></P> Wed, 04 Oct 2023 19:54:48 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/wildfire-virus-threatid-602574714-false-positive/m-p/560587#M2023 NorcoIT 2023-10-04T19:54:48Z