https://live.paloaltonetworks.com/t5/advanced-threat-prevention/acrobatdcx64manifest3-msi-from-akamai-23-200-196-138-detected-as/m-p/597363#M2266 <P>You can manually or semi-automatically whitelist the alert using 1 of 2 different methods:</P> <P>&nbsp;</P> <P>The semi-automatic method:&nbsp;</P> <P>Go to Monitor-&gt;Logs-&gt;Threat and look at the threat logs. Hover over the ThreatID/Name of the signature you want to whitelist and click the small drop-down arrow that appears at the end of the name. It will give you an option for "Exception", which takes you to a screen to exempt that signature (exact screen depends on if it is an AV, Anti-Spyware, etc. signature). Add the exemption to the appropriate profiles and save/commit.</P> <P>&nbsp;</P> <P>The manual method:</P> <P>Go to&nbsp;Monitor-&gt;Logs-&gt;Threat and click details on a detected threat you want to whitelist. Note Threat ID number in the Details section. Determine if it is an AV, Anti-Spyware, etc. type signature. Go to the appropriate signature-type profile under Objects-&gt;SecurityProfiles-&gt;[signature-type] and select the profile for the whitelist. In the profile, select the Signature Exceptions tab and add the Threat ID number you noted earlier. (Note: In some profile types you need to click the "Show all signatures" checkbox and the filter/search by name/ID number to locate the signature, select it as an exception.)</P> Tue, 10 Sep 2024 00:15:27 GMT Adrian_Jensen 2024-09-10T00:15:27Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/acrobatdcx64manifest3-msi-from-akamai-23-200-196-138-detected-as/m-p/593507#M2257 <DIV class="x-grid3-row x-grid3-row-first "> <TABLE class="x-grid3-row-table" border="0" cellspacing="0" cellpadding="0"> <TBODY> <TR> <TD class="x-grid3-col x-grid3-cell x-grid3-td-id2 x-grid-selectable"> <DIV class="x-grid3-cell-inner x-grid3-col-id2">Threat Type</DIV> </TD> <TD class="x-grid3-col x-grid3-cell x-grid3-td-3 x-grid-selectable"> <DIV class="x-grid3-cell-inner x-grid3-col-3">ml-virus</DIV> </TD> </TR> </TBODY> </TABLE> </DIV> <DIV class="x-grid3-row "> <TABLE class="x-grid3-row-table" border="0" cellspacing="0" cellpadding="0"> <TBODY> <TR> <TD class="x-grid3-col x-grid3-cell x-grid3-td-id2 x-grid-selectable"> <DIV class="x-grid3-cell-inner x-grid3-col-id2">Threat ID/Name</DIV> </TD> <TD class="x-grid3-col x-grid3-cell x-grid3-td-3 x-grid-selectable"> <DIV class="x-grid3-cell-inner x-grid3-col-3">Malicious MSOffice Files</DIV> </TD> </TR> </TBODY> </TABLE> </DIV> <DIV class="x-grid3-row "> <TABLE class="x-grid3-row-table" border="0" cellspacing="0" cellpadding="0"> <TBODY> <TR> <TD class="x-grid3-col x-grid3-cell x-grid3-td-id2 x-grid-selectable"> <DIV class="x-grid3-cell-inner x-grid3-col-id2">ID</DIV> </TD> <TD class="x-grid3-col x-grid3-cell x-grid3-td-3 x-grid-selectable"> <DIV class="x-grid3-cell-inner x-grid3-col-3">599806 (<A href="https://threatvault.paloaltonetworks.com/?query=599806" target="_blank" rel="noopener">View in Threat Vault</A>)</DIV> </TD> </TR> </TBODY> </TABLE> </DIV> <DIV class="x-grid3-row "> <TABLE class="x-grid3-row-table" border="0" cellspacing="0" cellpadding="0"> <TBODY> <TR> <TD class="x-grid3-col x-grid3-cell x-grid3-td-id2 x-grid-selectable"> <DIV class="x-grid3-cell-inner x-grid3-col-id2">Category</DIV> </TD> <TD class="x-grid3-col x-grid3-cell x-grid3-td-3 x-grid-selectable"> <DIV class="x-grid3-cell-inner x-grid3-col-3">malicious-msoffice</DIV> </TD> </TR> </TBODY> </TABLE> </DIV> <DIV class="x-grid3-row "> <TABLE class="x-grid3-row-table" border="0" cellspacing="0" cellpadding="0"> <TBODY> <TR> <TD class="x-grid3-col x-grid3-cell x-grid3-td-id2 x-grid-selectable"> <DIV class="x-grid3-cell-inner x-grid3-col-id2">Content Version</DIV> </TD> <TD class="x-grid3-col x-grid3-cell x-grid3-td-3 x-grid-selectable"> <DIV class="x-grid3-cell-inner x-grid3-col-3">AppThreat-8875-8875</DIV> </TD> </TR> </TBODY> </TABLE> </DIV> <DIV class="x-grid3-row "> <TABLE class="x-grid3-row-table" border="0" cellspacing="0" cellpadding="0"> <TBODY> <TR> <TD class="x-grid3-col x-grid3-cell x-grid3-td-id2 x-grid-selectable"> <DIV class="x-grid3-cell-inner x-grid3-col-id2">Severity</DIV> </TD> <TD class="x-grid3-col x-grid3-cell x-grid3-td-3 x-grid-selectable"> <DIV class="x-grid3-cell-inner x-grid3-col-3">medium</DIV> </TD> </TR> </TBODY> </TABLE> </DIV> <DIV class="x-grid3-row "> <TABLE class="x-grid3-row-table" border="0" cellspacing="0" cellpadding="0"> <TBODY> <TR> <TD class="x-grid3-col x-grid3-cell x-grid3-td-id2 x-grid-selectable"> <DIV class="x-grid3-cell-inner x-grid3-col-id2">Repeat Count</DIV> </TD> <TD class="x-grid3-col x-grid3-cell x-grid3-td-3 x-grid-selectable"> <DIV class="x-grid3-cell-inner x-grid3-col-3">1</DIV> </TD> </TR> </TBODY> </TABLE> </DIV> <DIV class="x-grid3-row "> <TABLE class="x-grid3-row-table" border="0" cellspacing="0" cellpadding="0"> <TBODY> <TR> <TD class="x-grid3-col x-grid3-cell x-grid3-td-id2 x-grid-selectable"> <DIV class="x-grid3-cell-inner x-grid3-col-id2">File Name</DIV> </TD> <TD class="x-grid3-col x-grid3-cell x-grid3-td-3 x-grid-selectable"> <DIV class="x-grid3-cell-inner x-grid3-col-3">AcrobatDCx64Manifest3.msi</DIV> </TD> </TR> </TBODY> </TABLE> </DIV> <DIV class="x-grid3-row "> <TABLE class="x-grid3-row-table" border="0" cellspacing="0" cellpadding="0"> <TBODY> <TR> <TD class="x-grid3-col x-grid3-cell x-grid3-td-id2 x-grid-selectable"> <DIV class="x-grid3-cell-inner x-grid3-col-id2">URL</DIV> </TD> <TD class="x-grid3-col x-grid3-cell x-grid3-td-3 x-grid-selectable"> <DIV class="x-grid3-cell-inner x-grid3-col-3">&nbsp;</DIV> </TD> </TR> </TBODY> </TABLE> </DIV> <DIV class="x-grid3-row "> <TABLE class="x-grid3-row-table" border="0" cellspacing="0" cellpadding="0"> <TBODY> <TR> <TD class="x-grid3-col x-grid3-cell x-grid3-td-id2 x-grid-selectable"> <DIV class="x-grid3-cell-inner x-grid3-col-id2">Partial Hash</DIV> </TD> <TD class="x-grid3-col x-grid3-cell x-grid3-td-3 x-grid-selectable"> <DIV class="x-grid3-cell-inner x-grid3-col-3">108178206800356620</DIV> </TD> </TR> </TBODY> </TABLE> <TABLE class="x-grid3-row-table" border="0" cellspacing="0" cellpadding="0"> <TBODY> <TR> <TD class="x-grid3-col x-grid3-cell x-grid3-td-id2 x-grid-selectable"> <DIV class="x-grid3-cell-inner x-grid3-col-id2">Destination</DIV> </TD> <TD class="x-grid3-col x-grid3-cell x-grid3-td-3 x-grid-selectable"> <DIV class="x-grid3-cell-inner x-grid3-col-3">23.200.196.138</DIV> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <PRE>8:16:10.000000 00:00:00:00:00:00 &gt; 00:00:00:00:00:00, 802.3, length 0: LLC, dsap Null (0x00) Individual, ssap Null (0x00) Command, ctrl 0x0008: Information, send seq 4, rcv seq 0, Flags [Command], length 79 0x0000: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0010: 0800 4500 004b 0000 0000 4006 a32f 17c8 ..E..K....@../.. 0x0020: c48a c0a8 3ab0 01bb f922 0000 00c6 0000 ....:...."...... 0x0030: 00fb 5018 ffff 0000 0000 001d 0000 001e ..P............. 0x0040: 0000 001f 0000 0020 0000 0021 0000 0022 ...........!..." 0x0050: 0000 0023 0000 0024 0000 0025 00 ...#...$...%. 08:16:10.000000 00:00:00:00:00:00 &gt; 00:00:00:00:00:00, 802.3, length 0: LLC, dsap Null (0x00) Individual, ssap Null (0x00) Command, ctrl 0x0008: Information, send seq 4, rcv seq 0, Flags [Command], length 702 0x0000: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0010: 0800 4500 02c3 0000 0000 4006 a32f 17c8 ..E.......@../.. 0x0020: c48a c0a8 3ab0 01bb f922 0000 00e9 0000 ....:...."...... 0x0030: 00fb 5018 ffff 0763 0000 d0cf 11e0 a1b1 ..P....c........ 0x0040: 1ae1 0000 0000 0000 0000 0000 0000 0000 ................ 0x0050: 0000 3e00 0300 feff 0900 0600 0000 0000 ..&gt;............. 0x0060: 0000 0000 0000 0100 0000 0100 0000 0000 ................ 0x0070: 0000 0010 0000 0300 0000 0200 0000 feff ................ 0x0080: ffff 0000 0000 0000 0000 ffff ffff ffff ................ 0x0090: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0x00a0: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0x00b0: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0x00c0: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0x00d0: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0x00e0: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0x00f0: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0x0100: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0x0110: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0x0120: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0x0130: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0x0140: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0x0150: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0x0160: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0x0170: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0x0180: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0x0190: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0x01a0: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0x01b0: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0x01c0: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0x01d0: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0x01e0: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0x01f0: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0x0200: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0x0210: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0x0220: ffff ffff ffff ffff ffff ffff ffff ffff ................ 0x0230: ffff ffff ffff ffff ffff fdff ffff 0200 ................ 0x0240: 0000 0600 0000 1600 0000 0500 0000 0700 ................ 0x0250: 0000 1400 0000 0800 0000 0900 0000 0a00 ................ 0x0260: 0000 0b00 0000 0c00 0000 feff ffff 0e00 ................ 0x0270: 0000 0f00 0000 1000 0000 1100 0000 1200 ................ 0x0280: 0000 1300 0000 1500 0000 feff ffff 1700 ................ 0x0290: 0000 feff ffff 1800 0000 1900 0000 feff ................ 0x02a0: ffff 1b00 0000 1c00 0000 1d00 0000 1e00 ................ 0x02b0: 0000 1f00 0000 2000 0000 2100 0000 2200 ..........!...". 0x02c0: 0000 2300 0000 2400 0000 2500 ..#...$...%.</PRE> </DIV> Tue, 30 Jul 2024 13:17:41 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/acrobatdcx64manifest3-msi-from-akamai-23-200-196-138-detected-as/m-p/593507#M2257 ksauer507 2024-07-30T13:17:41Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/acrobatdcx64manifest3-msi-from-akamai-23-200-196-138-detected-as/m-p/597151#M2265 <P>Im getting flooded with these alerts, too. How do you whitelist them?</P> Fri, 06 Sep 2024 12:31:29 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/acrobatdcx64manifest3-msi-from-akamai-23-200-196-138-detected-as/m-p/597151#M2265 Cha_Moua 2024-09-06T12:31:29Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/acrobatdcx64manifest3-msi-from-akamai-23-200-196-138-detected-as/m-p/597363#M2266 <P>You can manually or semi-automatically whitelist the alert using 1 of 2 different methods:</P> <P>&nbsp;</P> <P>The semi-automatic method:&nbsp;</P> <P>Go to Monitor-&gt;Logs-&gt;Threat and look at the threat logs. Hover over the ThreatID/Name of the signature you want to whitelist and click the small drop-down arrow that appears at the end of the name. It will give you an option for "Exception", which takes you to a screen to exempt that signature (exact screen depends on if it is an AV, Anti-Spyware, etc. signature). Add the exemption to the appropriate profiles and save/commit.</P> <P>&nbsp;</P> <P>The manual method:</P> <P>Go to&nbsp;Monitor-&gt;Logs-&gt;Threat and click details on a detected threat you want to whitelist. Note Threat ID number in the Details section. Determine if it is an AV, Anti-Spyware, etc. type signature. Go to the appropriate signature-type profile under Objects-&gt;SecurityProfiles-&gt;[signature-type] and select the profile for the whitelist. In the profile, select the Signature Exceptions tab and add the Threat ID number you noted earlier. (Note: In some profile types you need to click the "Show all signatures" checkbox and the filter/search by name/ID number to locate the signature, select it as an exception.)</P> Tue, 10 Sep 2024 00:15:27 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/acrobatdcx64manifest3-msi-from-akamai-23-200-196-138-detected-as/m-p/597363#M2266 Adrian_Jensen 2024-09-10T00:15:27Z