topic Re: VBS/Virus.invadesys.(253879) - Potential False Positive? in General Topics

VBS/Virus.invadesys.(253879) - Potential False Positive?

dciccone — Fri, 09 Aug 2013 14:51:16 GMT

Hi,

Recently, on some of our clients we have been seeing the same threat / virus appear. The name is VBS/Virus.invadesys. and the ID is 253879.

Some interesting things to note...

The file-name is ALWAYS a bookmark file ending in .url
All of the files sound VERY generic.

Small sample of some URLs...

"Guide Entertainment Network.url"
"Monitor Tool 2008.url"
"IE site on Microsoft.com.url"
"Windows Media Showcase.url"
"Welcome to IE7.url"

Upon further investigation, it seems that these files come pre-packaged with IE7, as seen with one of the above URLs.

So my question is, has anyone else seen an abundance of these alerts in the recent days?

Re: VBS/Virus.invadesys.(253879) - Potential False Positive?

goku123 — Fri, 09 Aug 2013 15:04:08 GMT

False positives for threat ID 253879 have been confirmed. Fix targeted through AV release 1076.

Re: VBS/Virus.invadesys.(253879) - Potential False Positive?

dciccone — Fri, 09 Aug 2013 15:21:32 GMT

Hi achitwadgi,

Thanks for the information. Any idea when this update will be available for download? I just checked on the PA devices, and it is not showing yet.

Also, where did you obtain this information? I cannot find it anywhere.

Re: VBS/Virus.invadesys.(253879) - Potential False Positive?

goku123 — Fri, 09 Aug 2013 16:04:02 GMT

Hi, current AV version available is 1075. 1076 should go out later today.

Re: VBS/Virus.invadesys.(253879) - Potential False Positive?

goku123 — Fri, 09 Aug 2013 18:35:29 GMT

Hi,

AV 1076 was just released, we are testing again with a couple of links. Will update this thread shortly.

Re: VBS/Virus.invadesys.(253879) - Potential False Positive?

goku123 — Fri, 09 Aug 2013 20:38:39 GMT

AV 1076 is still triggering alerts on this threat id 253879 for URLs such as support.microsoft.com/kb/2123563.

This issue has been reopened with PAN threat team and is being further investigated.

Re: VBS/Virus.invadesys.(253879) - Potential False Positive?

goku123 — Fri, 09 Aug 2013 22:24:58 GMT

A problem was discovered with the signature and this is being addressed with the combination of AV update today and the app+threat content update that is targeted for release on Tuesday Aug 13.

Re: VBS/Virus.invadesys.(253879) - Potential False Positive?

mikand — Sun, 11 Aug 2013 18:45:55 GMT

Thanks for the updates on this issue!

Re: VBS/Virus.invadesys.(253879) - Potential False Positive?

urb — Wed, 14 Aug 2013 13:24:32 GMT

I have just received a report from a customer running 1078, that he has this false positive as well. Guess we are not quit there yet.

Re: VBS/Virus.invadesys.(253879) - Potential False Positive?

goku123 — Wed, 14 Aug 2013 14:29:40 GMT

Please ensure that in addition to the latest AV package, you are also running apps+threat version 388 or newer.

Re: VBS/Virus.invadesys.(253879) - Potential False Positive?

jam1 — Wed, 14 Aug 2013 18:28:24 GMT

I am running Apps and Threats version 388 antivirus version 1078 and am still reviving these alerts. Interestingly the threat ID and name are not present in the threat vault.

Re: VBS/Virus.invadesys.(253879) - Potential False Positive?

goku123 — Wed, 14 Aug 2013 18:48:45 GMT

Maybe the signature needs additional tuning. If you suspect this to be a false positive alert, can you please open a support case with the threat log screenshot & sample/url/threat pcap and 'show system info' output?