topic PAN-DB Re-Categorization Requests in General Topics

PAN-DB Re-Categorization Requests

Brandon_Wertz — Fri, 18 Sep 2015 13:09:17 GMT

Just curious what everyone's expereince / success has been when trying to get URLs re-categorized, especially malicious domains?

I don't seem to have much luck instilling a sense of urgency with support on these requests.

I submitted a support case for a domain on a domain on the 10th that we see phishing/credential harvesting and I've still got no action from support (on a Case I submitted as a high).

Anything I could do to get better results? I'd think Palo Alto, for all intents and purposes, a network defense company would have more timely reponses to these requests.

Re: PAN-DB Re-Categorization Requests

Brandon_Wertz — Fri, 18 Sep 2015 13:11:28 GMT

I should add, it was categorized as unkown and got categorized as "real-estate" prior to the 10th, which precipitated the support request.

We submitted the inital one as phishing, to which Palo's categorization was "real-estate."

Re: PAN-DB Re-Categorization Requests

reaper — Fri, 18 Sep 2015 13:15:09 GMT

Hi Brandon

Did you try submitting the URL through https://urlfiltering.paloaltonetworks.com/ ?

This should trigger an direct request with the URL DB team to verify a url manually.

regards

Tom

Re: PAN-DB Re-Categorization Requests

santonic — Fri, 18 Sep 2015 13:18:47 GMT

So far I only had a couple of requests for sites that were marked as malware to be re-evaluated. And PA were really quick to check and change to some safe category.

Re: PAN-DB Re-Categorization Requests

Brandon_Wertz — Fri, 18 Sep 2015 13:28:58 GMT

Yes.

We do the initial "automated process" either through URL logs or direct on the site.

I can recount at least 5 times where people at my company "suggest" a site as "malware" or "phishing" only to have the canned response thanks but no thanks.

So we submit an case, which is what I did in this instance as well. We're now going on 8 days with no resolution for the case.

This screen shot was included in the support case...How is this not an automatic action...Tip...I don't work for "swlacomps.com" they shouldn't be asking my users to put their credentials in.

Re: PAN-DB Re-Categorization Requests

santonic — Fri, 18 Sep 2015 13:46:56 GMT

I had a problem convincing PA a certain file to be malware. The file in question is IZArc_Setup.exe with SHA-256 hash 4d5882c57875b86cd6095e3bf2c64785cb878fd9d836d2091c9585198e2b4c75

15/55 AV vendors on VirusTotal recognise it as virus. (https://www.virustotal.com/en/file/4d5882c57875b86cd6095e3bf2c64785cb878fd9d836d2091c9585198e2b4c75/analysis/)

It downloads a file (SHA256: ffaf52d2f7c34df344c21a532a52711dbebcbb77a5e00b8aad46d6c247ed8718) from a domain which is marked as malware domain by PA DB and BrightCloud (sub.dunhiri.com/installers/bi_downloader/1433912751207/setup.exe).

The file it downloads is marked as benign by WF portal, but 26/56 AV vendors according to VirusTotal mark it as virus (https://www.virustotal.com/en/file/ffaf52d2f7c34df344c21a532a52711dbebcbb77a5e00b8aad46d6c247ed8718/analysis/)

I tried to change verdict for this 3 times but I was never succesful. So yeah it's a mission to convince PA some file is actually malware. A bit dissapointing.

Re: PAN-DB Re-Categorization Requests

Brandon_Wertz — Mon, 21 Sep 2015 18:50:36 GMT

Going on 11 days now...Still no action in the categorization request.

Geeze I sure hope no other companies user credentials have been stolen in this time.