https://live.paloaltonetworks.com/t5/advanced-threat-prevention/malicious-traffic-blocked-by-pan-virus-win32-wgeneric-ajbecg/m-p/328056#M825 <P>The best way to investigate these would be to access the Threat Vault at&nbsp;<A href="https://threatvault.paloaltonetworks.com/" target="_blank">https://threatvault.paloaltonetworks.com/</A></P> <P>Search for the Threat ID's and find the SHA256 hashes of the samples tied to the signatures.</P> <P>You can then use the SHA256 hashes to research the samples on the internet. A good place to begin that research is&nbsp;<A href="http://virustotal.com/" target="_blank">http://virustotal.com</A></P> <P>&nbsp;</P> <P>If you believe the signatures are built based on WildFire false positives or potential Signature Collisions you can open a request with Support to investigate.</P> <P>&nbsp;</P> <P>If you know for sure that these triggers are false positives, and they're interrupting critical business tasks, you can opt to create an exception in your Antivirus profile. You can see instructions at&nbsp;<A href="https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/threat-prevention/create-threat-exceptions" target="_blank">https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/threat-prevention/create-threat-exceptions</A></P> Thu, 14 May 2020 20:25:48 GMT mivaldi 2020-05-14T20:25:48Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/malicious-traffic-blocked-by-pan-virus-win32-wgeneric-ajbecg/m-p/328047#M824 <P><SPAN>Hi Team,</SPAN></P><P>These are the below sign identified in our network and want to know the reason for this trigger.</P><P>Please provide the related application effected? Why are this signature identified and what the user is trying to access so that PAN blocked the traffic. Any additional information will be appreciated.&nbsp;</P><P>&nbsp;</P><P><SPAN>Virus/Win32.WGeneric.ajbsuc(341044866) </SPAN></P><P><SPAN>Virus/Win32.WGeneric.ajbecg(340897548) </SPAN></P><P><SPAN>Virus/Win32.WGeneric.aeqdlm(295866360)</SPAN></P><P>&nbsp;</P> Thu, 14 May 2020 19:59:12 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/malicious-traffic-blocked-by-pan-virus-win32-wgeneric-ajbecg/m-p/328047#M824 Veerendra 2020-05-14T19:59:12Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/malicious-traffic-blocked-by-pan-virus-win32-wgeneric-ajbecg/m-p/328056#M825 <P>The best way to investigate these would be to access the Threat Vault at&nbsp;<A href="https://threatvault.paloaltonetworks.com/" target="_blank">https://threatvault.paloaltonetworks.com/</A></P> <P>Search for the Threat ID's and find the SHA256 hashes of the samples tied to the signatures.</P> <P>You can then use the SHA256 hashes to research the samples on the internet. A good place to begin that research is&nbsp;<A href="http://virustotal.com/" target="_blank">http://virustotal.com</A></P> <P>&nbsp;</P> <P>If you believe the signatures are built based on WildFire false positives or potential Signature Collisions you can open a request with Support to investigate.</P> <P>&nbsp;</P> <P>If you know for sure that these triggers are false positives, and they're interrupting critical business tasks, you can opt to create an exception in your Antivirus profile. You can see instructions at&nbsp;<A href="https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/threat-prevention/create-threat-exceptions" target="_blank">https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/threat-prevention/create-threat-exceptions</A></P> Thu, 14 May 2020 20:25:48 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/malicious-traffic-blocked-by-pan-virus-win32-wgeneric-ajbecg/m-p/328056#M825 mivaldi 2020-05-14T20:25:48Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/malicious-traffic-blocked-by-pan-virus-win32-wgeneric-ajbecg/m-p/328060#M826 <P>Hi Mivaldi,</P><P>Appreciated the quick response, I have already tried earlier but don't have access to Threat Vault.</P><P>Can you please help me with screenshot/hash or any kind of export from the portal for below mentioned signature.&nbsp;</P><P><SPAN>Signatures</SPAN></P><DIV class="row"><DIV class="col-md-12 col-sm-12 col-xs-12 ng-scope"><DIV class="m-b wordbreak ng-binding">Virus/Win32.WGeneric.ajbsuc(341044866)</DIV><DIV class="m-b wordbreak ng-binding">Virus/Win32.WGeneric.ajbecg(340897548)</DIV><DIV class="m-b wordbreak ng-binding">Virus/Win32.WGeneric.aeqdlm(295866360)</DIV><DIV class="m-b wordbreak ng-binding">That will be great help for my investigation.</DIV></DIV></DIV><DIV class="row">&nbsp;</DIV><DIV class="row">&nbsp;</DIV> Thu, 14 May 2020 20:33:27 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/malicious-traffic-blocked-by-pan-virus-win32-wgeneric-ajbecg/m-p/328060#M826 Veerendra 2020-05-14T20:33:27Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/malicious-traffic-blocked-by-pan-virus-win32-wgeneric-ajbecg/m-p/328065#M827 <P>&nbsp;</P> <TABLE id="antivirus-signatures" class="table table-bordered pan-grid table-hover" data-pagination="true" data-toggle="table" data-pagination-v-align="top" data-reactid=".0.1.1:$eU5q8.1"> <THEAD data-reactid=".0.1.1:$eU5q8.1.0"> <TR> <TH tabindex="0" data-field="0"> <DIV class="th-inner ">Signature</DIV> <DIV class="fht-cell">&nbsp;</DIV> </TH> <TH tabindex="0" data-field="1"> <DIV class="th-inner ">Release</DIV> <DIV class="fht-cell">&nbsp;</DIV> </TH> <TH tabindex="0" data-field="2"> <DIV class="th-inner "><SPAN data-reactid=".0.1.1:$eU5q8.1.0.0.2.0">Hashes<BR /></SPAN></DIV> <DIV class="fht-cell">&nbsp;</DIV> </TH> </TR> </THEAD> <TBODY data-reactid=".0.1.1:$eU5q8.1.1"> <TR data-index="0" data-reactid=".0.1.1:$eU5q8.1.1.0"> <TD data-reactid=".0.1.1:$eU5q8.1.1.0.0"> <P class="" data-reactid=".0.1.1:$eU5q8.1.1.0.0.0">Name: Virus/Win32.WGeneric.ajbsuc</P> <P class="" data-reactid=".0.1.1:$eU5q8.1.1.0.0.1">Unique Threat ID: 341044866</P> <P class="" data-reactid=".0.1.1:$eU5q8.1.1.0.0.2">Create Time: 2020-04-08 19:03:39 (UTC)</P> </TD> <TD data-reactid=".0.1.1:$eU5q8.1.1.0.1"> <P class="" data-reactid=".0.1.1:$eU5q8.1.1.0.1.0">Threat ID: 2565506</P> <P class="" data-reactid=".0.1.1:$eU5q8.1.1.0.1.1">Current Release: 3348 (2020-05-13 UTC)</P> <P class="" data-reactid=".0.1.1:$eU5q8.1.1.0.1.2">First Release: 3312 (2020-04-08 UTC)</P> </TD> <TD data-reactid=".0.1.1:$eU5q8.1.1.0.2"> <DIV data-reactid=".0.1.1:$eU5q8.1.1.0.2.0"> <P class="hash sha256" data-reactid=".0.1.1:$eU5q8.1.1.0.2.0.a">78487e9f4dcd78f24a8b863e5b4cf15b9a4fcb6a78f2a8477ad43fe5639e4a04</P> </DIV> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <TABLE id="antivirus-signatures" class="table table-bordered pan-grid table-hover" data-pagination="true" data-toggle="table" data-pagination-v-align="top" data-reactid=".0.1.1:$wuSnA.1"> <THEAD data-reactid=".0.1.1:$wuSnA.1.0"> <TR> <TH tabindex="0" data-field="0"> <DIV class="th-inner ">Signature</DIV> <DIV class="fht-cell">&nbsp;</DIV> </TH> <TH tabindex="0" data-field="1"> <DIV class="th-inner ">Release</DIV> <DIV class="fht-cell">&nbsp;</DIV> </TH> <TH tabindex="0" data-field="2"> <DIV class="th-inner "><SPAN data-reactid=".0.1.1:$wuSnA.1.0.0.2.0">Hashes<BR /></SPAN></DIV> <DIV class="fht-cell">&nbsp;</DIV> </TH> </TR> </THEAD> <TBODY data-reactid=".0.1.1:$wuSnA.1.1"> <TR data-index="0" data-reactid=".0.1.1:$wuSnA.1.1.0"> <TD data-reactid=".0.1.1:$wuSnA.1.1.0.0"> <P class="" data-reactid=".0.1.1:$wuSnA.1.1.0.0.0">Name: Virus/Win32.WGeneric.ajbecg</P> <P class="" data-reactid=".0.1.1:$wuSnA.1.1.0.0.1">Unique Threat ID: 340897548</P> <P class="" data-reactid=".0.1.1:$wuSnA.1.1.0.0.2">Create Time: 2020-04-07 20:22:17 (UTC)</P> </TD> <TD data-reactid=".0.1.1:$wuSnA.1.1.0.1"> <P class="" data-reactid=".0.1.1:$wuSnA.1.1.0.1.0">Threat ID: 2005534</P> <P class="" data-reactid=".0.1.1:$wuSnA.1.1.0.1.1">Current Release: 3348 (2020-05-13 UTC)</P> <P class="" data-reactid=".0.1.1:$wuSnA.1.1.0.1.2">First Release: 3311 (2020-04-07 UTC)</P> </TD> <TD data-reactid=".0.1.1:$wuSnA.1.1.0.2"> <DIV data-reactid=".0.1.1:$wuSnA.1.1.0.2.0"> <P class="hash sha256" data-reactid=".0.1.1:$wuSnA.1.1.0.2.0.a">c39cb7067c3c5c22802bafe4d54b3365b1f24bab864ba6ba75c3e069d96d09b0</P> </DIV> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <TABLE id="antivirus-signatures" class="table table-bordered pan-grid table-hover" data-pagination="true" data-toggle="table" data-pagination-v-align="top" data-reactid=".0.1.1:$MvrXK.1"> <THEAD data-reactid=".0.1.1:$MvrXK.1.0"> <TR> <TH tabindex="0" data-field="0"> <DIV class="th-inner ">Signature</DIV> <DIV class="fht-cell">&nbsp;</DIV> </TH> <TH tabindex="0" data-field="1"> <DIV class="th-inner ">Release</DIV> <DIV class="fht-cell">&nbsp;</DIV> </TH> <TH tabindex="0" data-field="2"> <DIV class="th-inner "><SPAN data-reactid=".0.1.1:$MvrXK.1.0.0.2.0">Hashes<BR /></SPAN></DIV> <DIV class="fht-cell">&nbsp;</DIV> </TH> </TR> </THEAD> <TBODY data-reactid=".0.1.1:$MvrXK.1.1"> <TR data-index="0" data-reactid=".0.1.1:$MvrXK.1.1.0"> <TD data-reactid=".0.1.1:$MvrXK.1.1.0.0"> <P class="" data-reactid=".0.1.1:$MvrXK.1.1.0.0.0">Name: Virus/Win32.WGeneric.aeqdlm</P> <P class="" data-reactid=".0.1.1:$MvrXK.1.1.0.0.1">Unique Threat ID: 295866360</P> <P class="" data-reactid=".0.1.1:$MvrXK.1.1.0.0.2">Create Time: 2019-08-21 09:26:56 (UTC)</P> </TD> <TD data-reactid=".0.1.1:$MvrXK.1.1.0.1"> <P class="" data-reactid=".0.1.1:$MvrXK.1.1.0.1.0">Threat ID: 2636376</P> <P class="" data-reactid=".0.1.1:$MvrXK.1.1.0.1.1">Current Release: 3348 (2020-05-13 UTC)</P> <P class="" data-reactid=".0.1.1:$MvrXK.1.1.0.1.2">First Release: 3079 (2019-08-22 UTC)</P> </TD> <TD data-reactid=".0.1.1:$MvrXK.1.1.0.2"> <DIV data-reactid=".0.1.1:$MvrXK.1.1.0.2.0"> <P class="hash sha256" data-reactid=".0.1.1:$MvrXK.1.1.0.2.0.9">2c96ca9abb21a87e0967de6ef78f76083f3917ecf2ba5ed69acd044582b0e3dc</P> <P class="hash sha256" data-reactid=".0.1.1:$MvrXK.1.1.0.2.0.r">9a2fcee13a376a99a0856c226bdce391f357a9ba766236accc4f74a02103a5ba</P> <P class="hash sha256" data-reactid=".0.1.1:$MvrXK.1.1.0.2.0.19">214f934a95dc68bf17aba4acd7f66babc692c544a1fa848e80eb7d4fc7c4e3c1</P> <P class="hash sha256" data-reactid=".0.1.1:$MvrXK.1.1.0.2.0.1r">0cfdb09b489b7003577bd905a541b514a74232b2e4d3f51b0bf62998106e5fec</P> </DIV> </TD> </TR> </TBODY> </TABLE> Thu, 14 May 2020 21:01:09 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/malicious-traffic-blocked-by-pan-virus-win32-wgeneric-ajbecg/m-p/328065#M827 mivaldi 2020-05-14T21:01:09Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/malicious-traffic-blocked-by-pan-virus-win32-wgeneric-ajbecg/m-p/328070#M828 <P>Thanks for the support,</P><P>&nbsp;</P><P>I tried searching the hash values on Open Threat Intel, including Virus Total: Hash value not in DB.</P><P>Is that possible to tell, the reason for this signature. Like user tried accessing the XYZ (onedrive.exe) what caused the alert.</P> Thu, 14 May 2020 21:12:57 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/malicious-traffic-blocked-by-pan-virus-win32-wgeneric-ajbecg/m-p/328070#M828 Veerendra 2020-05-14T21:12:57Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/malicious-traffic-blocked-by-pan-virus-win32-wgeneric-ajbecg/m-p/328089#M829 <P>There should be a lot of information in correlated log entries.</P> <P>At the very left of the threat log entry, you will see a magnifying glass icon. Click it and that will open the detailed log view. On the lower panel, you will see correlated log entries. You can see correlated traffic log entries, URL filtering log entries, and wildfire submissions as well as other possible entries. These other entries will exist if these additional features were properly configured to log an event.</P> Thu, 14 May 2020 22:58:51 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/malicious-traffic-blocked-by-pan-virus-win32-wgeneric-ajbecg/m-p/328089#M829 mivaldi 2020-05-14T22:58:51Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/malicious-traffic-blocked-by-pan-virus-win32-wgeneric-ajbecg/m-p/328100#M830 <P>Thanks for the input, However was not able to identify any of the correlated event in URL filtering and wildfire.</P><P>Just want to know the basis of these signature or the application/file/user activity to trigger this PAN signature.</P><P>&nbsp;</P><P>Appreciated the support <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 15 May 2020 02:29:42 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/malicious-traffic-blocked-by-pan-virus-win32-wgeneric-ajbecg/m-p/328100#M830 Veerendra 2020-05-15T02:29:42Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/malicious-traffic-blocked-by-pan-virus-win32-wgeneric-ajbecg/m-p/328251#M831 <P>Please open a Support case to have us take a closer look.</P> Fri, 15 May 2020 16:54:38 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/malicious-traffic-blocked-by-pan-virus-win32-wgeneric-ajbecg/m-p/328251#M831 mivaldi 2020-05-15T16:54:38Z