topic Re: Sinkhole explosion in General Topics

Sinkhole explosion

pivvre — Tue, 27 Jan 2015 12:32:08 GMT

Since midday yesterday (Monday Jan 26th) we've seen an explosion in sinkhole detections.
Previous moths sees one ot two a day in average, latest 24 hrs we've had more than 16.000 detections. This started after the antivirusupdate on Monday.

When checking a few of the domains via on-line URL-checking tools, no suspicious content is detected.

Latest antivirus signature contained a lot of Suspicious DNS adresses, but none of 'ours'

Has anyone else seen this ?

All DNS requests are blocked so no dangerous situation appears, but we suspect most of these requests to be false positive.

Can someone at PaloAlto check on this please?

Re: Sinkhole explosion

ECommand — Tue, 27 Jan 2015 14:53:21 GMT

Re: Sinkhole explosion

Dz3015 — Tue, 27 Jan 2015 15:51:45 GMT

As per ECommand, this is brought up in the other thread. There is a bug in the latest AV update that is causing DNS queries to be caught.

Re: Sinkhole explosion

HULK — Tue, 27 Jan 2015 16:35:52 GMT

Hello Haverstad,

There is a large number of changes made on the recent Antivirus database version, regarding DNS signature. Almost 80,000 new DNS signatures has been added to this database. Could you please let me know the AV version currently installed on your PAN firewall.

Thanks

Re: Sinkhole explosion

networkadmin — Tue, 27 Jan 2015 17:34:05 GMT

Interesting as today I enabled Spyware and Virus signatures on outbound DNS from our Domain Controllers and we're also seeing thousands of hits/matches.

Domains such as:

d.audienceiq.com
d.p-td.com
p.adsymptotic.com

They flag as Spyware so I assume it's the anti-spyware signatures catching them?

Fair to say I switched off email notifications pretty quickly

Re: Sinkhole explosion

dpayne — Tue, 27 Jan 2015 20:45:46 GMT

Phew! Same here. I am going email crazy!!

Re: Sinkhole explosion

apackard — Tue, 27 Jan 2015 20:48:31 GMT

Hi - we have also seen this huge explosion in DNS alerts.

We have also noticed an odd aspect - the domain name in the Palo UI alert appears to be different to the email alerts generated by Palo e.g.

Panorama UI log entry shows Suspicious DNS Query (generic:bam.nr-data.net) - ID 4091002
but the email generated from the event shows: Suspicious DNS Query (generic:ozgghm.com)(4091002)

so the same ID reference, but a different domain.

Rgds

Re: Sinkhole explosion

SDorsey — Tue, 27 Jan 2015 21:02:02 GMT

I am seeing this as well. Crazy!

Re: Sinkhole explosion

pivvre — Wed, 28 Jan 2015 07:02:44 GMT

We're running AV 1473-1947, daily automatic update.

Re: Sinkhole explosion

Dulle — Wed, 28 Jan 2015 13:47:24 GMT

After update to 1474-1949 things seems better.

It's now almost eerie quiet in my in-box

Re: Sinkhole explosion

Moose — Thu, 21 Jan 2016 03:39:26 GMT

I'm seeing this same issue after a recent anti-virus update. Before I would only get maybe a few a day if that. Anyone else out there seeing this happen recently?

Re: Sinkhole explosion

RogerBi — Thu, 21 Jan 2016 15:29:01 GMT

Same problem.

Example:

gmx.net will not work, because js.ui-portal.de will be detect as spyware. We have the problem with many content delivery Websites.

Re: Sinkhole explosion

Moose — Thu, 21 Jan 2016 15:33:27 GMT

Thanks for the response Roger. Looks like an update yesterday for A/V signatures. I scanned a handful of PC's and none of them came up infected. Looks like a ton of false positives. I'm calling PA now to see what the deal is.