<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Wildfire Malware detected miniwallet.bundle.js as Malware, VirusTotal does not list it in General Topics</title>
    <link>https://live.paloaltonetworks.com/t5/general-topics/wildfire-malware-detected-miniwallet-bundle-js-as-malware/m-p/1258500#M126709</link>
    <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1391339615"&gt;@J.Huchtktter&lt;/a&gt;&amp;nbsp;,&lt;BR /&gt;&lt;BR /&gt;&lt;/P&gt;
&lt;P&gt;I checked the wildfire portal for that hash and noticed the behavioral summary is older than the latest verdict status change.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P data-path-to-node="4"&gt;When the Behavioral summary shows an older date (&lt;SPAN class="math-inline" data-index-in-node="49" data-math="J\text{uly } 7"&gt;July 7&lt;/SPAN&gt;) but the Verdict status says &lt;I data-index-in-node="93" data-path-to-node="4"&gt;Updated&lt;/I&gt; on a newer date (&lt;SPAN class="math-inline" data-index-in-node="118" data-math="J\text{uly } 8"&gt;July 8&lt;/SPAN&gt;), it usually means the sandbox didn't actually re-run the file. Instead, Palo Alto Networks' threat intelligence backend updated a global detection rule or flag on &lt;SPAN class="math-inline" data-index-in-node="289" data-math="J\text{uly } 8"&gt;July 8&lt;/SPAN&gt;&amp;nbsp;that retroactively applied to the behaviors recorded during that original &lt;SPAN class="math-inline" data-index-in-node="378" data-math="J\text{uly } 7"&gt;July 7&lt;/SPAN&gt;&amp;nbsp;session.&lt;/P&gt;
&lt;P data-path-to-node="4"&gt;&amp;nbsp;&lt;/P&gt;
&lt;P data-path-to-node="5"&gt;Essentially, a backend heuristic rule change overnight made WildFire look back at that specific &lt;SPAN class="math-inline" data-index-in-node="96" data-math="J\text{uly } 7"&gt;July 7&lt;/SPAN&gt;&amp;nbsp;behavior and decide, &lt;I data-index-in-node="132" data-path-to-node="5"&gt;"Wait, we now classify that pattern as malware."&lt;/I&gt;&lt;/P&gt;
&lt;P data-path-to-node="6"&gt;Because this is a core Microsoft Edge file, it confirms that a newly deployed backend rule is being overly aggressive and has caused a global false positive.&lt;/P&gt;
&lt;P data-path-to-node="8"&gt;&amp;nbsp;&lt;/P&gt;
&lt;P data-path-to-node="8"&gt;Please submit an&amp;nbsp;Incorrect Verdict / False Positive appeal&amp;nbsp;through the WildFire portal. When the research team looks at the submission, they will see that the newly updated rule accidentally snagged a signed Microsoft component and they will manually roll back/fix the signature.&lt;/P&gt;
&lt;P data-path-to-node="8"&gt;&amp;nbsp;&lt;/P&gt;
&lt;P data-path-to-node="9"&gt;In the meantime, you can whitelist or create an exception for this specific hash in XSIAM to keep your users from running into browser issues.&lt;/P&gt;
&lt;P data-path-to-node="9"&gt;&amp;nbsp;&lt;/P&gt;
&lt;P data-path-to-node="9"&gt;Hope this helps,&lt;/P&gt;</description>
    <pubDate>Wed, 08 Jul 2026 10:54:05 GMT</pubDate>
    <dc:creator>kiwi</dc:creator>
    <dc:date>2026-07-08T10:54:05Z</dc:date>
    <item>
      <title>Wildfire Malware detected miniwallet.bundle.js as Malware, VirusTotal does not list it</title>
      <link>https://live.paloaltonetworks.com/t5/general-topics/wildfire-malware-detected-miniwallet-bundle-js-as-malware/m-p/1258477#M126707</link>
      <description>&lt;P&gt;Hey&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;we are using Cortex XSIAM and have been getting alerts on &lt;EM&gt;miniwallet.bundle.js&lt;/EM&gt; apparently during MS Edge updates.&lt;BR /&gt;&lt;BR /&gt;From what I can see the Wildfire Verdict has changed yesterday. However, reading the report, I cannot explain why it is considered Malware. Googling also did not get me any further.&lt;BR /&gt;&lt;BR /&gt;Most interestingly: On VirusTotal the corresponding has (miniwallet.bundle.js&amp;nbsp;e1c8013b3c793dece95e5b9fc479325aff243052f1ca23e6de92ca473f3200d4) comes back clean.&lt;BR /&gt;&lt;BR /&gt;I am a bit out of idea on what is going on here.&amp;nbsp;&lt;BR /&gt;&lt;BR /&gt;Does anyone have any ideas on how to see why a WildFire verdict has changed?&lt;BR /&gt;&lt;BR /&gt;Or what else to do to triage this?&lt;BR /&gt;&lt;BR /&gt;&lt;BR /&gt;&lt;/P&gt;</description>
      <pubDate>Wed, 08 Jul 2026 07:18:07 GMT</pubDate>
      <guid>https://live.paloaltonetworks.com/t5/general-topics/wildfire-malware-detected-miniwallet-bundle-js-as-malware/m-p/1258477#M126707</guid>
      <dc:creator>J.Huchtktter</dc:creator>
      <dc:date>2026-07-08T07:18:07Z</dc:date>
    </item>
    <item>
      <title>Re: Wildfire Malware detected miniwallet.bundle.js as Malware, VirusTotal does not list it</title>
      <link>https://live.paloaltonetworks.com/t5/general-topics/wildfire-malware-detected-miniwallet-bundle-js-as-malware/m-p/1258500#M126709</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1391339615"&gt;@J.Huchtktter&lt;/a&gt;&amp;nbsp;,&lt;BR /&gt;&lt;BR /&gt;&lt;/P&gt;
&lt;P&gt;I checked the wildfire portal for that hash and noticed the behavioral summary is older than the latest verdict status change.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P data-path-to-node="4"&gt;When the Behavioral summary shows an older date (&lt;SPAN class="math-inline" data-index-in-node="49" data-math="J\text{uly } 7"&gt;July 7&lt;/SPAN&gt;) but the Verdict status says &lt;I data-index-in-node="93" data-path-to-node="4"&gt;Updated&lt;/I&gt; on a newer date (&lt;SPAN class="math-inline" data-index-in-node="118" data-math="J\text{uly } 8"&gt;July 8&lt;/SPAN&gt;), it usually means the sandbox didn't actually re-run the file. Instead, Palo Alto Networks' threat intelligence backend updated a global detection rule or flag on &lt;SPAN class="math-inline" data-index-in-node="289" data-math="J\text{uly } 8"&gt;July 8&lt;/SPAN&gt;&amp;nbsp;that retroactively applied to the behaviors recorded during that original &lt;SPAN class="math-inline" data-index-in-node="378" data-math="J\text{uly } 7"&gt;July 7&lt;/SPAN&gt;&amp;nbsp;session.&lt;/P&gt;
&lt;P data-path-to-node="4"&gt;&amp;nbsp;&lt;/P&gt;
&lt;P data-path-to-node="5"&gt;Essentially, a backend heuristic rule change overnight made WildFire look back at that specific &lt;SPAN class="math-inline" data-index-in-node="96" data-math="J\text{uly } 7"&gt;July 7&lt;/SPAN&gt;&amp;nbsp;behavior and decide, &lt;I data-index-in-node="132" data-path-to-node="5"&gt;"Wait, we now classify that pattern as malware."&lt;/I&gt;&lt;/P&gt;
&lt;P data-path-to-node="6"&gt;Because this is a core Microsoft Edge file, it confirms that a newly deployed backend rule is being overly aggressive and has caused a global false positive.&lt;/P&gt;
&lt;P data-path-to-node="8"&gt;&amp;nbsp;&lt;/P&gt;
&lt;P data-path-to-node="8"&gt;Please submit an&amp;nbsp;Incorrect Verdict / False Positive appeal&amp;nbsp;through the WildFire portal. When the research team looks at the submission, they will see that the newly updated rule accidentally snagged a signed Microsoft component and they will manually roll back/fix the signature.&lt;/P&gt;
&lt;P data-path-to-node="8"&gt;&amp;nbsp;&lt;/P&gt;
&lt;P data-path-to-node="9"&gt;In the meantime, you can whitelist or create an exception for this specific hash in XSIAM to keep your users from running into browser issues.&lt;/P&gt;
&lt;P data-path-to-node="9"&gt;&amp;nbsp;&lt;/P&gt;
&lt;P data-path-to-node="9"&gt;Hope this helps,&lt;/P&gt;</description>
      <pubDate>Wed, 08 Jul 2026 10:54:05 GMT</pubDate>
      <guid>https://live.paloaltonetworks.com/t5/general-topics/wildfire-malware-detected-miniwallet-bundle-js-as-malware/m-p/1258500#M126709</guid>
      <dc:creator>kiwi</dc:creator>
      <dc:date>2026-07-08T10:54:05Z</dc:date>
    </item>
  </channel>
</rss>

