topic Re: False Positive Submission: 7zip installer in VirusTotal

False Positive Submission: 7zip installer

puppetjt — Thu, 09 Nov 2017 15:32:13 GMT

Hi There

The following is being detected as a virus, and since it's a reputable source, it's probably a false positive. VirusTotal detects no threat:

Virus/Win32.WGeneric.nnpwy(188234211)
http://www.7-zip.org/a/7z1602-x64.exe

https://www.virustotal.com/en/url/40719e870a1df9806d7a856f4dcf115b15c867c5dc4b8057ccfd7d59601df4df/analysis/1510241062/

Thanks

Re: False Positive Submission: 7zip installer

puppetjt — Wed, 15 Nov 2017 15:37:43 GMT

Have I put this in the correct place?

Re: False Positive Submission: 7zip installer

mivaldi — Wed, 15 Nov 2017 19:26:50 GMT

@puppetjt

The Virus Total link you submitted is for the URL of the installer, not for the file.

The file is deemed Benign by WildFire.

The right sha256 for the sample is

f1601b09cd0c9627b1aab7299b83529e8fbc6b5078e43dfd81a1b0bfcdf4a308

The VirusTotal report is clean.

https://www.virustotal.com/en/file/f1601b09cd0c9627b1aab7299b83529e8fbc6b5078e43dfd81a1b0bfcdf4a308/analysis/

If the file triggers an Antivirus signature, this is most likely the case of a signature collision.

Signature collisions happen when the digital patterns of a Benign file that the firewall looks at to determine a match with a virus signature, coincide with those of a sample that has been determined to be Malware (which includes the possibility of a signature collision with a False Positive).

In this particular case, the Signature Collision is with sample f70870509dc2845e1720e68957f7a159b2cd7a2f69950d4707119f9bd5a6c5cc which is a trojanized version of the 7zip installer.

https://www.virustotal.com/en/file/f70870509dc2845e1720e68957f7a159b2cd7a2f69950d4707119f9bd5a6c5cc/analysis/

In general, the recommendation in cases like these is to create an Antivirus Exception in the Antivirus profile tied to the Security Policy matching you traffic. The reason why we can't disable the signature, is because that would mean that we would allow both the Benign installer, and the trojanized version, resolving the problem for you, but exposing everyone else to get infected.

One of the possible counter-measures to this, is to increase the specifity of the Malware signature, to make sure it matches the Malware variant, and not the Benign file. The increased specifity of the signature not always resolves the collisions, but I will give it a try, and come back to you with our results.

Re: False Positive Submission: 7zip installer

mivaldi — Wed, 15 Nov 2017 21:55:10 GMT

We've made the signature more specific, to prevent probability of collisions.

If the change yields the expected results, you should see the collision resolved after installing tomorrows release of the Antivirus package.

Re: False Positive Submission: 7zip installer

puppetjt — Thu, 16 Nov 2017 11:03:03 GMT

Mivaldi

Thank you so much for looking in to this. I'll have to wait until the realse is ready, as I think im 4 hour off at this stage.

Out of interest, what was incorrect with the link I gave? It was indeed the installer itself that was flagging the Palo Alto (literally just clicking that link in the browser would throw the error). Reason I'm interested is that I'd like to understand how better to submit these issues in the future.

Thanks

Re: False Positive Submission: 7zip installer

mivaldi — Thu, 16 Nov 2017 17:40:05 GMT

When you submit an URL to Virus Total instead of a File, it scans the website for any persistent malicious code that would attempt to hijack your browser. The follow up download happens at a separate report. (I just realized there's a left-over link that points you to the analysis of the downloaded file).

So it was not incorrect, but the VT report you submitted was for the URL, not the file -not a big deal-

If you are a Palo Alto Networks customer, you should open a case with Palo Alto Networks Support, instead of using this forum.