https://live.paloaltonetworks.com/t5/general-topics/false-positive-virus/m-p/3920#M2881 <HTML><HEAD></HEAD><BODY><P>Thanks for the reply, as part of my ticket I had included the .pcap file from one of the "threats".&nbsp; The issue is still happening, but the bizarre thing is only happening with a few users, most of the users have been able to do updates, myself included.</P><P></P><P>As for the Wildfire that is what I thought from reading about it in the forums, but the fact there was no traffic reported for anything for 8 days had me a little concerned.</P></BODY></HTML> Thu, 11 Oct 2012 16:07:11 GMT rgreens 2012-10-11T16:07:11Z https://live.paloaltonetworks.com/t5/general-topics/false-positive-virus/m-p/3917#M2878 <HTML><HEAD></HEAD><BODY><P>We use Total Defense for an antivirus program.&nbsp; It appears that one of the executable (both the 32 bit and 64 bit versions) in the latest update is being flagged as a virus, Virus/Win32.WGeneric.bnrd, the other executable files are fine.&nbsp; When I look at the Data Filtering log for Wildfire I see it says that it was forwarded.&nbsp; But when I look at the Wildfire report there is no report of that specific executable in the history and I don't see any files in Wild Fire reports in the last 7 days.&nbsp; So I believe I have a two fold issue, one the false positive doesn't allow our users to the the latest update and the fact nothing seems to be reaching Wildfire.</P><P></P><P>I opened a ticket 8 days ago when I first saw the problem, but they want a copy of the executable.&nbsp; Unfortunately I can't find it because it is never getting to Wildfire and the installation files are inside a .pkg file and can't find a way to extract it.</P></BODY></HTML> Thu, 11 Oct 2012 11:45:08 GMT https://live.paloaltonetworks.com/t5/general-topics/false-positive-virus/m-p/3917#M2878 rgreens 2012-10-11T11:45:08Z https://live.paloaltonetworks.com/t5/general-topics/false-positive-virus/m-p/3918#M2879 <HTML><HEAD></HEAD><BODY><P><SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;">A "forward" action simply means that the WildFire action was taken for the file, but didn't result in an actual file upload (because it was a trusted file, or WildFire has already seen the file).</SPAN></P><P><SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;"><BR /></SPAN></P><P><SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;">For the false positive issue, you can enable "Data Capture" on data filtering setting and get the file. Or if the issue is reproducible, you can have captures at firewall, initiate anti-virus update and attach those pcaps to the case you opened earlier. </SPAN></P><P><SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;"><BR /></SPAN></P><P><SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;">Also on the same note, <SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;"> "wildfire-upload-success" means the file was actually uploaded to the cloud because the cloud had not seen the file before, and it wasn't signed by a trusted signer.</SPAN></SPAN></P><P><SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;"><BR /></SPAN></P><P><SPAN style="color: #000000; font-size: 12px; background-color: #ffffff; font-family: Arial, Helvetica, sans-serif;">Hope this helps.Thanks</SPAN></P></BODY></HTML> Thu, 11 Oct 2012 13:24:09 GMT https://live.paloaltonetworks.com/t5/general-topics/false-positive-virus/m-p/3918#M2879 ssharma 2012-10-11T13:24:09Z https://live.paloaltonetworks.com/t5/general-topics/false-positive-virus/m-p/3919#M2880 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>The detailed issue is documented at the following link indicating as an expected behavior.</P><P><A _jive_internal="true" class="active_link" href="https://live.paloaltonetworks.com/docs/DOC-3369">https://live.paloaltonetworks.com/docs/DOC-3369</A></P><P></P><P>Regards</P><P>Parth</P></BODY></HTML> Thu, 11 Oct 2012 15:00:54 GMT https://live.paloaltonetworks.com/t5/general-topics/false-positive-virus/m-p/3919#M2880 ppatel 2012-10-11T15:00:54Z https://live.paloaltonetworks.com/t5/general-topics/false-positive-virus/m-p/3920#M2881 <HTML><HEAD></HEAD><BODY><P>Thanks for the reply, as part of my ticket I had included the .pcap file from one of the "threats".&nbsp; The issue is still happening, but the bizarre thing is only happening with a few users, most of the users have been able to do updates, myself included.</P><P></P><P>As for the Wildfire that is what I thought from reading about it in the forums, but the fact there was no traffic reported for anything for 8 days had me a little concerned.</P></BODY></HTML> Thu, 11 Oct 2012 16:07:11 GMT https://live.paloaltonetworks.com/t5/general-topics/false-positive-virus/m-p/3920#M2881 rgreens 2012-10-11T16:07:11Z