https://live.paloaltonetworks.com/t5/general-topics/trying-still-to-understand-wildfire/m-p/37681#M27609 <HTML><HEAD></HEAD><BODY><P>Milkand,</P><P></P><P>We have see false negatives based on Virus total analysis or based on the behavior that was observed leading up to the download of the executable (java downloads leading up to the exe download) or social engineering (clicking on links in emails from bad guys).&nbsp; In these cases we try to get a copy of the executable and attach it to the case we submit to support along with supporting documentation (virus total report, URL of wildfire report ).&nbsp; We have done this on numerous occasions&nbsp; with positive outcomes (virus definitions inclusion).</P><P></P><P>Phil</P></BODY></HTML> Tue, 16 Jul 2013 11:48:11 GMT HITSSEC 2013-07-16T11:48:11Z https://live.paloaltonetworks.com/t5/general-topics/trying-still-to-understand-wildfire/m-p/37677#M27605 <HTML><HEAD></HEAD><BODY><P>I got two files sent to me for analysis and I ran them through Wildfire to get a verdict...</P><P></P><P>Unfortunately im still not comfortable with what Wildfire thinks is a malware and what me (and obviously the rest of the world) belives is a malware...</P><P></P><P>Could perhaps somebody from PaloAlto themselfs (or somebody else) explain to me why both files have the verdict "Benign" when they obviously is anything BUT benign?</P><P></P><P></P><P>File1:</P><P></P><P>Overview</P><P>Filename:&nbsp;&nbsp;&nbsp;&nbsp; b14620ee8cd512565ce5e0ecd6ab55ca.exe</P><P>SHA256:&nbsp;&nbsp;&nbsp;&nbsp; 0f57e8e9334daf3769be5a1ddd19337f7ef8d11a9b2297e71a1c8b2cc2ee7ec3</P><P>User:</P><P>Received:&nbsp;&nbsp;&nbsp;&nbsp; 7/15/2013 9:40:01 PM</P><P>Attacker:</P><P>Victim:&nbsp;&nbsp;&nbsp;&nbsp; </P><P>Hostname/Mgmt. IP:</P><P>Application:&nbsp;&nbsp;&nbsp;&nbsp; </P><P>Verdict:&nbsp;&nbsp;&nbsp;&nbsp; </P><P>Benign</P><P></P><P>Analysis Summary</P><P></P><P>Behavior</P><P>Changed security settings of Internet Explorer</P><P>Created or modified files</P><P>Modified Windows registries</P><P></P><P>Detailed Events</P><P>Registry&nbsp;&nbsp;&nbsp;&nbsp; Action</P><P>HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal&nbsp;&nbsp;&nbsp;&nbsp; Set</P><P>HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e86064ca-57e4-11e0-bef8-806d6172696f}\BaseClass&nbsp;&nbsp;&nbsp;&nbsp; Set</P><P>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Documents&nbsp;&nbsp;&nbsp;&nbsp; Set</P><P>HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop&nbsp;&nbsp;&nbsp;&nbsp; Set</P><P>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Desktop&nbsp;&nbsp;&nbsp;&nbsp; Set</P><P>HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass&nbsp;&nbsp;&nbsp;&nbsp; Set</P><P>HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName&nbsp;&nbsp;&nbsp;&nbsp; Set</P><P>HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet&nbsp;&nbsp;&nbsp;&nbsp; Set</P><P>HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect&nbsp;&nbsp;&nbsp;&nbsp; Set</P><P>HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache&nbsp;&nbsp;&nbsp;&nbsp; Set</P><P>HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies&nbsp;&nbsp;&nbsp;&nbsp; Set</P><P>HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData&nbsp;&nbsp;&nbsp;&nbsp; Set</P><P>HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache&nbsp;&nbsp;&nbsp;&nbsp; Set</P><P>HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Local AppData&nbsp;&nbsp;&nbsp;&nbsp; Set</P><P>HKCU\Software\Micorosoft\Server\SmartAssemblyReportUsage&nbsp;&nbsp;&nbsp;&nbsp; Set</P><P>HKCU\Control Panel\Keyboard\InitialKeyboardIndicators&nbsp;&nbsp;&nbsp;&nbsp; Set</P><P></P><P>Process&nbsp;&nbsp;&nbsp;&nbsp; Parent Process&nbsp;&nbsp;&nbsp;&nbsp; Action</P><P>C:\sample.exe&nbsp;&nbsp;&nbsp;&nbsp; explorer.exe&nbsp;&nbsp;&nbsp;&nbsp; Create</P><P></P><P>File&nbsp;&nbsp;&nbsp;&nbsp; Process&nbsp;&nbsp;&nbsp;&nbsp; Action</P><P>C:\Documents and Settings\Administrator\Local Settings\Application Data\IsolatedStorage\2uvfwpzx.c5m\ayzczy0y.0ay\Url.xvrp4itmvjamqpvqmgo5332dmzim1pjr\identity.dat&nbsp;&nbsp;&nbsp;&nbsp; C:\sample.exe&nbsp;&nbsp;&nbsp;&nbsp; Write</P><P>C:\Documents and Settings\Administrator\Local Settings\Application Data\IsolatedStorage\2uvfwpzx.c5m\ayzczy0y.0ay\Url.xvrp4itmvjamqpvqmgo5332dmzim1pjr\info.dat&nbsp;&nbsp;&nbsp;&nbsp; C:\sample.exe&nbsp;&nbsp;&nbsp;&nbsp; Write</P><P>C:\Documents and Settings\Administrator\Local Settings\Application Data\IsolatedStorage\2uvfwpzx.c5m\ayzczy0y.0ay\Url.xvrp4itmvjamqpvqmgo5332dmzim1pjr\AssemFiles\BB41470D\Usages.bin&nbsp;&nbsp;&nbsp;&nbsp; C:\sample.exe&nbsp;&nbsp;&nbsp;&nbsp; Delete</P><P>C:\Documents and Settings\Administrator\Local Settings\Application Data\IsolatedStorage\2uvfwpzx.c5m\ayzczy0y.0ay\Url.xvrp4itmvjamqpvqmgo5332dmzim1pjr\AssemFiles\BB41470D\D&nbsp;&nbsp;&nbsp;&nbsp; C:\sample.exe&nbsp;&nbsp;&nbsp;&nbsp; Delete</P><P>C:\Documents and Settings\Administrator\Local Settings\Application Data\IsolatedStorage\2uvfwpzx.c5m\ayzczy0y.0ay\Url.xvrp4itmvjamqpvqmgo5332dmzim1pjr\AssemFiles\BB41470D\Usages.bin&nbsp;&nbsp;&nbsp;&nbsp; C:\sample.exe&nbsp;&nbsp;&nbsp;&nbsp; Write </P><P></P><P>And here is what Virustotal thinks of the above file: <A href="https://www.virustotal.com/en/file/0f57e8e9334daf3769be5a1ddd19337f7ef8d11a9b2297e71a1c8b2cc2ee7ec3/analysis/1373918339/" title="https://www.virustotal.com/en/file/0f57e8e9334daf3769be5a1ddd19337f7ef8d11a9b2297e71a1c8b2cc2ee7ec3/analysis/1373918339/"> Antivirus scan for 5fa713436f4820532eb6ea70a9e1ff21 at2013-07-15 19:58:59 UTC - VirusTotal </A></P><P></P><P></P><P>File2:</P><P></P><P>Overview</P><P>Filename:&nbsp;&nbsp;&nbsp;&nbsp; e762428b721a1de0e50cb93c91ca629c.exe</P><P>SHA256:&nbsp;&nbsp;&nbsp;&nbsp; df97bc506772110d83e081bcc80226483176be6de1da85239ac81440eba89ec0</P><P>User:</P><P>Received:&nbsp;&nbsp;&nbsp;&nbsp; 7/15/2013 9:40:18 PM</P><P>Attacker:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Victim:&nbsp;&nbsp;&nbsp;&nbsp; </P><P>Hostname/Mgmt. IP:</P><P>Application:&nbsp;&nbsp;&nbsp;&nbsp; </P><P>Verdict:&nbsp;&nbsp;&nbsp;&nbsp; </P><P>Benign</P><P></P><P>Analysis Summary</P><P></P><P>Behavior</P><P>Created or modified files</P><P>Spawned new processes</P><P>Modified Windows registries</P><P>Changed security settings of Internet Explorer</P><P>Changed the proxy settings for Internet Explorer</P><P>Modified the network connections setting for Internet Explorer</P><P>Attempted to sleep for a long period</P><P></P><P>Detailed Events</P><P>Registry&nbsp;&nbsp;&nbsp;&nbsp; Action</P><P>HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal&nbsp;&nbsp;&nbsp;&nbsp; Set</P><P>HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e86064ca-57e4-11e0-bef8-806d6172696f}\BaseClass&nbsp;&nbsp;&nbsp;&nbsp; Set</P><P>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Documents&nbsp;&nbsp;&nbsp;&nbsp; Set</P><P>HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop&nbsp;&nbsp;&nbsp;&nbsp; Set</P><P>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Desktop&nbsp;&nbsp;&nbsp;&nbsp; Set</P><P>HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass&nbsp;&nbsp;&nbsp;&nbsp; Set</P><P>HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName&nbsp;&nbsp;&nbsp;&nbsp; Set</P><P>HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet&nbsp;&nbsp;&nbsp;&nbsp; Set</P><P>HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect&nbsp;&nbsp;&nbsp;&nbsp; Set</P><P>HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache&nbsp;&nbsp;&nbsp;&nbsp; Set</P><P>HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies&nbsp;&nbsp;&nbsp;&nbsp; Set</P><P>HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData&nbsp;&nbsp;&nbsp;&nbsp; Set</P><P>HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache&nbsp;&nbsp;&nbsp;&nbsp; Set</P><P>HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData&nbsp;&nbsp;&nbsp;&nbsp; Set</P><P>HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal&nbsp;&nbsp;&nbsp;&nbsp; Set</P><P>HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache&nbsp;&nbsp;&nbsp;&nbsp; Set</P><P>HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies&nbsp;&nbsp;&nbsp;&nbsp; Set</P><P>HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\History&nbsp;&nbsp;&nbsp;&nbsp; Set</P><P>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData&nbsp;&nbsp;&nbsp;&nbsp; Set</P><P>HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MigrateProxy&nbsp;&nbsp;&nbsp;&nbsp; Set</P><P>HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable&nbsp;&nbsp;&nbsp;&nbsp; Set</P><P>HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer&nbsp;&nbsp;&nbsp;&nbsp; Delete</P><P>HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride&nbsp;&nbsp;&nbsp;&nbsp; Delete</P><P>HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL&nbsp;&nbsp;&nbsp;&nbsp; Delete</P><P>HKLM\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable&nbsp;&nbsp;&nbsp;&nbsp; Set</P><P>HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings&nbsp;&nbsp;&nbsp;&nbsp; Set</P><P></P><P>Process&nbsp;&nbsp;&nbsp;&nbsp; Parent Process&nbsp;&nbsp;&nbsp;&nbsp; Action</P><P>C:\sample.exe&nbsp;&nbsp;&nbsp;&nbsp; explorer.exe&nbsp;&nbsp;&nbsp;&nbsp; Create</P><P>C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE&nbsp;&nbsp;&nbsp;&nbsp; C:\sample.exe&nbsp;&nbsp;&nbsp;&nbsp; Create</P><P>C:\WINDOWS\system32\userinit.exe&nbsp;&nbsp;&nbsp;&nbsp; C:\WINDOWS\system32\winlogon.exe&nbsp;&nbsp;&nbsp;&nbsp; Terminate</P><P></P><P>File&nbsp;&nbsp;&nbsp;&nbsp; Process&nbsp;&nbsp;&nbsp;&nbsp; Action</P><P>C:\Documents and Settings\Administrator\Local Settings\Temp\dw.log&nbsp;&nbsp;&nbsp;&nbsp; C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE&nbsp;&nbsp;&nbsp;&nbsp; Write</P><P>C:\Documents and Settings\Administrator\Local Settings\Temp\8750.dmp&nbsp;&nbsp;&nbsp;&nbsp; C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE&nbsp;&nbsp;&nbsp;&nbsp; Write </P><P></P><P>And here is what Virustotal thinks of the above file: <A href="https://www.virustotal.com/en/file/df97bc506772110d83e081bcc80226483176be6de1da85239ac81440eba89ec0/analysis/1373918301/" title="https://www.virustotal.com/en/file/df97bc506772110d83e081bcc80226483176be6de1da85239ac81440eba89ec0/analysis/1373918301/"> Antivirus scan for 8b00c2d2face7267c2eb16c93e75a662 at2013-07-15 19:58:21 UTC - VirusTotal </A></P></BODY></HTML> Mon, 15 Jul 2013 20:06:17 GMT https://live.paloaltonetworks.com/t5/general-topics/trying-still-to-understand-wildfire/m-p/37677#M27605 mikand 2013-07-15T20:06:17Z https://live.paloaltonetworks.com/t5/general-topics/trying-still-to-understand-wildfire/m-p/37678#M27606 <HTML><HEAD></HEAD><BODY><P>This could be a possible False_negative.</P><P>Can you please open a support case specifying the <SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;">SHA</SPAN> of both these files.</P><P></P><P>HTH</P></BODY></HTML> Mon, 15 Jul 2013 21:38:28 GMT https://live.paloaltonetworks.com/t5/general-topics/trying-still-to-understand-wildfire/m-p/37678#M27606 UhMayYeah 2013-07-15T21:38:28Z https://live.paloaltonetworks.com/t5/general-topics/trying-still-to-understand-wildfire/m-p/37679#M27607 <HTML><HEAD></HEAD><BODY><P>Thanks!</P><P></P><P>I have forwarded this to "my" support.</P></BODY></HTML> Mon, 15 Jul 2013 21:44:58 GMT https://live.paloaltonetworks.com/t5/general-topics/trying-still-to-understand-wildfire/m-p/37679#M27607 mikand 2013-07-15T21:44:58Z https://live.paloaltonetworks.com/t5/general-topics/trying-still-to-understand-wildfire/m-p/37680#M27608 <HTML><HEAD></HEAD><BODY><P>I have created a case and made sure the SHA for both files as well as a link to this forum post is part of the same case.</P><P></P><P>Regards Peter</P></BODY></HTML> Tue, 16 Jul 2013 06:50:31 GMT https://live.paloaltonetworks.com/t5/general-topics/trying-still-to-understand-wildfire/m-p/37680#M27608 radpointsupport 2013-07-16T06:50:31Z https://live.paloaltonetworks.com/t5/general-topics/trying-still-to-understand-wildfire/m-p/37681#M27609 <HTML><HEAD></HEAD><BODY><P>Milkand,</P><P></P><P>We have see false negatives based on Virus total analysis or based on the behavior that was observed leading up to the download of the executable (java downloads leading up to the exe download) or social engineering (clicking on links in emails from bad guys).&nbsp; In these cases we try to get a copy of the executable and attach it to the case we submit to support along with supporting documentation (virus total report, URL of wildfire report ).&nbsp; We have done this on numerous occasions&nbsp; with positive outcomes (virus definitions inclusion).</P><P></P><P>Phil</P></BODY></HTML> Tue, 16 Jul 2013 11:48:11 GMT https://live.paloaltonetworks.com/t5/general-topics/trying-still-to-understand-wildfire/m-p/37681#M27609 HITSSEC 2013-07-16T11:48:11Z https://live.paloaltonetworks.com/t5/general-topics/trying-still-to-understand-wildfire/m-p/37682#M27610 <HTML><HEAD></HEAD><BODY><P><A __default_attr="5926" __jive_macro_name="user" class="jive_macro jive_macro_user" data-objecttype="3" href="https://live.paloaltonetworks.com/"></A> This is true for AV,Spyware and Vulnerability.For Wildfire you just need SHA of the suspected file.</P></BODY></HTML> Tue, 16 Jul 2013 13:08:00 GMT https://live.paloaltonetworks.com/t5/general-topics/trying-still-to-understand-wildfire/m-p/37682#M27610 UhMayYeah 2013-07-16T13:08:00Z https://live.paloaltonetworks.com/t5/general-topics/trying-still-to-understand-wildfire/m-p/37683#M27611 <HTML><HEAD></HEAD><BODY><P>In this case Radpoint ("my" support <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> returned to me asking for the files in question - seems like 2nd line support (over at PA) doesnt have proper access to the files being uploaded to wildfire (or because these files were identified as benign wildfire doesnt store them - only files identified as malware and not previously seen is stored within wildfire, anyone who knows what happens behind the scenes?).</P><P></P><P>Anyway - support has got the files and case id 147980 is open regarding this... hopefully it wont take too long to get an explanation in return for why wildfire identified both files as benign...</P><P></P><P>Because, and this has been discussed previously in this forum, I fully understand if for example a downloader isnt identified as malware (even if I somewhat doesnt agree but still) but rather the file which the downloader is downloading (unless the downloader on its own is exploiting stuff) - but neither of the files seems to match that criteria.</P></BODY></HTML> Tue, 16 Jul 2013 14:00:07 GMT https://live.paloaltonetworks.com/t5/general-topics/trying-still-to-understand-wildfire/m-p/37683#M27611 mikand 2013-07-16T14:00:07Z https://live.paloaltonetworks.com/t5/general-topics/trying-still-to-understand-wildfire/m-p/37684#M27612 <HTML><HEAD></HEAD><BODY><P>It turns out this was actually a false-negative as I got this in return from the support:</P><P></P><P>"</P><P>The verdict in production has been changed to malware and these samples will be covered by Virus/Win32.generic.jnrgg and Virus/Win32.generic.jnrgh in WF AV: 16814</P><P>"</P></BODY></HTML> Fri, 19 Jul 2013 07:41:35 GMT https://live.paloaltonetworks.com/t5/general-topics/trying-still-to-understand-wildfire/m-p/37684#M27612 mikand 2013-07-19T07:41:35Z