topic Flurry of Ramnit Detections in Advanced Threat Prevention Discussions https://live.paloaltonetworks.com/t5/advanced-threat-prevention/flurry-of-ramnit-detections/m-p/184725#M97 <P>Around 04:00-05:00 yesterday my users triggered a series of ramnit detections which were blocked, but when I looked at the logs&nbsp; it seems a bit unclear.&nbsp; The threat logs are reporting that the file&nbsp;postprocess.dll carried the malware, but tying the URL logs up using the times and src/dst IP addresses, I can only see automatic downloads by Creative Cloud of&nbsp;AdobePremierePro11AllTrial.zip,&nbsp;AdobeMediaEncoder11AllTrial.zip and&nbsp;AdobePrelude6AllTrial.zip.&nbsp; The infected download could have been within SSL but the URL logs are good matches for the threats.</P><P>&nbsp;</P><P>&nbsp;</P><P>Has anyone else seen these?&nbsp; I was debating whether to log it as a possible false positive but as I can't see the URL logs with that dll I am not even sure I am seeing the download.&nbsp; Would the threat log show postprocess.dll as the infection if it were included in the zip file?</P> Tue, 31 Oct 2017 13:46:43 GMT djr 2017-10-31T13:46:43Z Flurry of Ramnit Detections https://live.paloaltonetworks.com/t5/advanced-threat-prevention/flurry-of-ramnit-detections/m-p/184725#M97 <P>Around 04:00-05:00 yesterday my users triggered a series of ramnit detections which were blocked, but when I looked at the logs&nbsp; it seems a bit unclear.&nbsp; The threat logs are reporting that the file&nbsp;postprocess.dll carried the malware, but tying the URL logs up using the times and src/dst IP addresses, I can only see automatic downloads by Creative Cloud of&nbsp;AdobePremierePro11AllTrial.zip,&nbsp;AdobeMediaEncoder11AllTrial.zip and&nbsp;AdobePrelude6AllTrial.zip.&nbsp; The infected download could have been within SSL but the URL logs are good matches for the threats.</P><P>&nbsp;</P><P>&nbsp;</P><P>Has anyone else seen these?&nbsp; I was debating whether to log it as a possible false positive but as I can't see the URL logs with that dll I am not even sure I am seeing the download.&nbsp; Would the threat log show postprocess.dll as the infection if it were included in the zip file?</P> Tue, 31 Oct 2017 13:46:43 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/flurry-of-ramnit-detections/m-p/184725#M97 djr 2017-10-31T13:46:43Z