https://live.paloaltonetworks.com/t5/virustotal/multiple-high-critical-alert-detected-via-port-18264-possible-fp/m-p/1245729#M3106 <DIV class="elementToProof"><SPAN>&nbsp;I&nbsp;</SPAN>would like to seek a verification and clarification regarding a threat detection observed on our Palo Alto firewall, which we believe may be a false positive.</DIV> <DIV class="elementToProof">During our review of the threat log, we noticed that the detection from below source and destination via port 18264 references several filenames as win.ini, fake.cgi, note.txt, jhjr60x8.kspx.&nbsp;<SPAN>These filenames do not appear to relevant in the context of the environment, as the traffic was observed between Check Point devices communicating with each other over TCP port 18264, which is believed to be used for Check Point proprietary internal services (e.g. update, synchronization, or certificate-related communication). Upon further review on the traffic under application found “incomplete”, “checkpoint-cpd” and “web-browsing”.</SPAN></DIV> Fri, 16 Jan 2026 04:13:52 GMT Muhammad_Fitri 2026-01-16T04:13:52Z https://live.paloaltonetworks.com/t5/virustotal/multiple-high-critical-alert-detected-via-port-18264-possible-fp/m-p/1245729#M3106 <DIV class="elementToProof"><SPAN>&nbsp;I&nbsp;</SPAN>would like to seek a verification and clarification regarding a threat detection observed on our Palo Alto firewall, which we believe may be a false positive.</DIV> <DIV class="elementToProof">During our review of the threat log, we noticed that the detection from below source and destination via port 18264 references several filenames as win.ini, fake.cgi, note.txt, jhjr60x8.kspx.&nbsp;<SPAN>These filenames do not appear to relevant in the context of the environment, as the traffic was observed between Check Point devices communicating with each other over TCP port 18264, which is believed to be used for Check Point proprietary internal services (e.g. update, synchronization, or certificate-related communication). Upon further review on the traffic under application found “incomplete”, “checkpoint-cpd” and “web-browsing”.</SPAN></DIV> Fri, 16 Jan 2026 04:13:52 GMT https://live.paloaltonetworks.com/t5/virustotal/multiple-high-critical-alert-detected-via-port-18264-possible-fp/m-p/1245729#M3106 Muhammad_Fitri 2026-01-16T04:13:52Z https://live.paloaltonetworks.com/t5/virustotal/multiple-high-critical-alert-detected-via-port-18264-possible-fp/m-p/1245793#M3108 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/298966">@Muhammad_Fitri</a>&nbsp;,</P> <P>&nbsp;</P> <P>Similar discussion here:<BR /><A href="https://live.paloaltonetworks.com/t5/general-topics/multiple-high-critical-alert-detected-via-port-18264-possible-fp/td-p/1245780" target="_blank">https://live.paloaltonetworks.com/t5/general-topics/multiple-high-critical-alert-detected-via-port-18264-possible-fp/td-p/1245780</A><BR /><BR />Check the PCAPs if you enabled it in the threat logs.&nbsp;&nbsp;<SPAN>The detected filenames likely mirror patterns in Check Point’s proprietary binary traffic that the Palo Alto firewall is misinterpreting as threats.</SPAN></P> <P>&nbsp;</P> <P>Kind regards,</P> <P>-Kim.</P> Fri, 16 Jan 2026 14:44:53 GMT https://live.paloaltonetworks.com/t5/virustotal/multiple-high-critical-alert-detected-via-port-18264-possible-fp/m-p/1245793#M3108 kiwi 2026-01-16T14:44:53Z