topic "Informational" threat has default action of "drop-reset" in Advanced Threat Prevention Discussions

"Informational" threat has default action of "drop-reset"

craig.brooker — Wed, 28 Jun 2017 19:30:27 GMT

Threat 30861 "Microsoft Windows Server Service NetrServerGetInfo Opnum 21 Access Attempt" has a severity level of "Informational" but a default action of "drop-reset". Is it common for such a low sev level threat to have such a drastic response? It seems like all of the others that I've spot checked have had an "alert" response.

It's an older threat from 2009 that was updated in May 2017, maybe something related to that?

Re: "Informational" threat has default action of "drop-reset"

bballinger — Thu, 13 Jul 2017 14:22:59 GMT

I just opened a case today because this was resetting the connections of our Global Protect users when they would try to access internal network shares. Seems like a false positive to me. I'm collecting info about the connections for PA Support so they can assess it further.

Re: "Informational" threat has default action of "drop-reset"

craig.brooker — Wed, 19 Jul 2017 13:11:04 GMT

Interesting. Did PA provide a resolution?

Re: "Informational" threat has default action of "drop-reset"

BrandonPrice — Wed, 09 Aug 2017 23:03:25 GMT

This is boning me as well, causing a fair amount of havok. Any word from PA on this?

Something as simple as typing "\\servername" in the windows10 search bar to browse for shares will cause a user machine to hang for a bit and the palo alto logs a blocked threat..

We are also seeing it randomly when a user attaches a file to an email in outlook and it causes the entire app to crash.

Re: "Informational" threat has default action of "drop-reset"

bballinger — Thu, 10 Aug 2017 12:39:29 GMT

We ended up just changing the default action to alert for that particular "threat". Probably not the best solution, but it is what it is.