https://live.paloaltonetworks.com/t5/general-topics/macdefender-signature/m-p/39725#M29138 <HTML><HEAD></HEAD><BODY><P>Has anyone seen a lot of activity around the MacDefender Command and Control Traffic (event ID 13104 and 13108)&nbsp; spyware threat since the introduction of these signatures? I believe first add of these signatures was 248-993 and then updated in 249-1005.&nbsp; I am trying to get a handle on the numerous daily "blocked" events we are seeing for these connections.&nbsp; According to what I know of this malicious behavior - the payload is against the Mac OS only.&nbsp; However, we have no Macs.&nbsp; All these events are happening to PCs.&nbsp; Is it perhaps because a drive-by or web link is bringing our users to the known bad external IPs? Also want to validate that this is indeed a real event and not a false positive - for we are seeing about a dozen of these events a day - never to same internal user.&nbsp; Curious if anyone is seeing any of this activity and thoughts before I open a case. </P><P></P><P>Cheers,</P><P></P><P>Mike</P></BODY></HTML> Wed, 01 Jun 2011 21:18:09 GMT MGoodnow 2011-06-01T21:18:09Z https://live.paloaltonetworks.com/t5/general-topics/macdefender-signature/m-p/39725#M29138 <HTML><HEAD></HEAD><BODY><P>Has anyone seen a lot of activity around the MacDefender Command and Control Traffic (event ID 13104 and 13108)&nbsp; spyware threat since the introduction of these signatures? I believe first add of these signatures was 248-993 and then updated in 249-1005.&nbsp; I am trying to get a handle on the numerous daily "blocked" events we are seeing for these connections.&nbsp; According to what I know of this malicious behavior - the payload is against the Mac OS only.&nbsp; However, we have no Macs.&nbsp; All these events are happening to PCs.&nbsp; Is it perhaps because a drive-by or web link is bringing our users to the known bad external IPs? Also want to validate that this is indeed a real event and not a false positive - for we are seeing about a dozen of these events a day - never to same internal user.&nbsp; Curious if anyone is seeing any of this activity and thoughts before I open a case. </P><P></P><P>Cheers,</P><P></P><P>Mike</P></BODY></HTML> Wed, 01 Jun 2011 21:18:09 GMT https://live.paloaltonetworks.com/t5/general-topics/macdefender-signature/m-p/39725#M29138 MGoodnow 2011-06-01T21:18:09Z https://live.paloaltonetworks.com/t5/general-topics/macdefender-signature/m-p/39726#M29139 <HTML><HEAD></HEAD><BODY><P> Hi Mike,</P><P></P><P>A couple of cases came into Support regarding the MAC Defender but both are waiting on the customer to provide a pcap of the traffic so nothing conclusive yet.&nbsp; If you can provide a pcap, please go ahead and open a case so that engineering can determine if it is a false positive or not.&nbsp; Thanks.</P></BODY></HTML> Mon, 06 Jun 2011 15:35:40 GMT https://live.paloaltonetworks.com/t5/general-topics/macdefender-signature/m-p/39726#M29139 nrice 2011-06-06T15:35:40Z