topic Re: Eicar and Palo Alto threat-db in General Topics

Eicar and Palo Alto threat-db

mikand — Thu, 28 Feb 2013 22:30:39 GMT

First a question:

Where and how can I see what is the default action for a particular threat, vuln or spyware threatid?

Preferly from within the box itself...

And now for an observation:

I tried searching for eicar in the threat vault and obviously there are four different (?) eicars registered:

2739329 Virus/Win32.eicar-av-test.b

2459563 Virus/DOS.eicar_test_file.j

2101399 Virus/Win32.eicartestfile.e

2069593 Virus/Win32.eicartestfile.bh

The first three can be opened:

https://threatvault.paloaltonetworks.com/Home/VirusDetail/2739329

https://threatvault.paloaltonetworks.com/Home/VirusDetail/2459563

https://threatvault.paloaltonetworks.com/Home/VirusDetail/2101399

But the fourth just wont load when clicking on it the the results:

https://threatvault.paloaltonetworks.com/Home/VirusDetail/2069593

however the url (when written manually in the address field) works.

And now for the added feature:

All four reports that they where added in content-db v960 (2013-02-28) !?!?!?

Content Release 960 (2/28/2013)

And... looking at each page it clearly looks like output from wildfire... but the true eicar testfile wont try to change netsh.exe settings, dump exe files, alter register keys etc... or did I miss what eicar testfile is supposed to do? :smileysilly:

Download ° EICAR - European Expert Group for IT-Security

Also as a sidenote the threatid for the true eicar testfile seems to be threatid 100000, but this threatid cannot be located in the threat vault!?

Re: Eicar and Palo Alto threat-db

UhMayYeah — Fri, 01 Mar 2013 00:05:26 GMT

First Answer

Where and how can I see what is the default action for a particular threat, vuln or spyware threatid?

Re: Eicar and Palo Alto threat-db

UhMayYeah — Fri, 01 Mar 2013 00:11:50 GMT

Response to your Observation : I had to visit Threat Vault and search for the ID: 2069593 the first time and now it opens up every single time.

I could add Threat Exception which validates that Threat ID for 100000

Re: Eicar and Palo Alto threat-db

mikand — Fri, 01 Mar 2013 07:25:08 GMT

Ohh... I guess I missed that checkbox in the lower left

Also I assume that AV signatures doesnt have any default action or such attached to them?

Regarding Eicar I was more thinking of why there are four of them and why threatid 100000 isnt searchable through the threat vault webpage?

Re: Eicar and Palo Alto threat-db

ericgearhart — Fri, 01 Mar 2013 15:43:32 GMT

I just tried to open each of those links to the Threat Vault in the original post, and I had to close the tabs and open them a second time for them to work (on each individual link)

It seems that some sort of web session or cookie or whatever gets established the fist time the link is visited, but the page doesn't display the first time. When you hit the link for the second time the actual page displays. Sounds like a session thing to me.