https://live.paloaltonetworks.com/t5/general-topics/vulnerability-id-31327/m-p/132937#M47135 <P><SPAN>Reply from TAC</SPAN></P><P>&nbsp;</P><P><SPAN>We&nbsp;have&nbsp;released&nbsp;the&nbsp;modification&nbsp;to&nbsp;signature&nbsp;&nbsp;(TID:&nbsp;31327/&nbsp;Attempted&nbsp;Antivirus&nbsp;Detection&nbsp;Bypass&nbsp;via&nbsp;Malformed&nbsp;ZIP&nbsp;Archive)&nbsp;in&nbsp;content&nbsp;version&nbsp;646&nbsp;on&nbsp;12/13/2016.</SPAN></P> Thu, 15 Dec 2016 01:44:53 GMT nextgenhappines 2016-12-15T01:44:53Z https://live.paloaltonetworks.com/t5/general-topics/vulnerability-id-31327/m-p/120549#M45940 <P>Hello,</P><P>&nbsp;</P><P>Start 10/13, &nbsp;I have been getting medium threat alert for vulnerability id 31327 (<SPAN>Attempted Antivirus Detection Bypass via Malformed ZIP Archive). &nbsp;I beleve it is my iOS devices connect to apple store to download app updates. &nbsp;Anyone else sees these? &nbsp;It is using the action is reset-both, but I still able to complete the download and install without any problem. &nbsp;</SPAN></P><P>&nbsp;</P><P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screen Shot 2016-10-22 at 7.13.09 AM.png" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/6019iBA87D47171F3FA68/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Screen Shot 2016-10-22 at 7.13.09 AM.png" alt="Screen Shot 2016-10-22 at 7.13.09 AM.png" /></span></SPAN></P> Sat, 22 Oct 2016 14:19:29 GMT https://live.paloaltonetworks.com/t5/general-topics/vulnerability-id-31327/m-p/120549#M45940 nextgenhappines 2016-10-22T14:19:29Z https://live.paloaltonetworks.com/t5/general-topics/vulnerability-id-31327/m-p/120559#M45943 <P>I have the same problem. &nbsp;I ended up making a "permit itunes-base" security policy that points to a vulnerability protection profile with that specific signature disabled. &nbsp;</P> Sat, 22 Oct 2016 15:19:46 GMT https://live.paloaltonetworks.com/t5/general-topics/vulnerability-id-31327/m-p/120559#M45943 jvalentine 2016-10-22T15:19:46Z https://live.paloaltonetworks.com/t5/general-topics/vulnerability-id-31327/m-p/120608#M45952 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/22017">@jvalentine</a>&nbsp;Thanks for confirming it. &nbsp;The strange part that I don't understand is the app update is still successful. &nbsp;Also, the file that is alerting are all from Apple Itune app store. &nbsp;I will think " I can trust Apple?!?". &nbsp; &nbsp;I just want to know if this is a false positive or something real.</P><P>&nbsp;</P><P>E</P> Sat, 22 Oct 2016 23:46:56 GMT https://live.paloaltonetworks.com/t5/general-topics/vulnerability-id-31327/m-p/120608#M45952 nextgenhappines 2016-10-22T23:46:56Z https://live.paloaltonetworks.com/t5/general-topics/vulnerability-id-31327/m-p/120615#M45955 <P>I'm willing to bet it's a false-positive, because it's Apple, right? &nbsp;I'd recommend opening a case with TAC. &nbsp;</P> Sun, 23 Oct 2016 01:46:41 GMT https://live.paloaltonetworks.com/t5/general-topics/vulnerability-id-31327/m-p/120615#M45955 jvalentine 2016-10-23T01:46:41Z https://live.paloaltonetworks.com/t5/general-topics/vulnerability-id-31327/m-p/132937#M47135 <P><SPAN>Reply from TAC</SPAN></P><P>&nbsp;</P><P><SPAN>We&nbsp;have&nbsp;released&nbsp;the&nbsp;modification&nbsp;to&nbsp;signature&nbsp;&nbsp;(TID:&nbsp;31327/&nbsp;Attempted&nbsp;Antivirus&nbsp;Detection&nbsp;Bypass&nbsp;via&nbsp;Malformed&nbsp;ZIP&nbsp;Archive)&nbsp;in&nbsp;content&nbsp;version&nbsp;646&nbsp;on&nbsp;12/13/2016.</SPAN></P> Thu, 15 Dec 2016 01:44:53 GMT https://live.paloaltonetworks.com/t5/general-topics/vulnerability-id-31327/m-p/132937#M47135 nextgenhappines 2016-12-15T01:44:53Z https://live.paloaltonetworks.com/t5/general-topics/vulnerability-id-31327/m-p/132950#M47136 <P>My firewall installed that content version yesterday, but today I'm still getting false-positive hits for 31327 via itunes-base. &nbsp;I count 15 hits just today. &nbsp;Looks like the signature needs some additional work still. &nbsp;</P> Thu, 15 Dec 2016 05:32:24 GMT https://live.paloaltonetworks.com/t5/general-topics/vulnerability-id-31327/m-p/132950#M47136 jvalentine 2016-12-15T05:32:24Z https://live.paloaltonetworks.com/t5/general-topics/vulnerability-id-31327/m-p/133096#M47164 <P>Same here, TAC told me to use CLI to reinstall the 646 update again.&nbsp; If it still does not work, perform another packet captures and update the case.&nbsp;&nbsp; I don't understand why TAC can't test it?&nbsp; It is just iOS / Itune download app update from apple itune store.&nbsp; It is easy to replicate.</P><P>&nbsp;</P><P>E</P><P>&nbsp;</P> Thu, 15 Dec 2016 16:01:24 GMT https://live.paloaltonetworks.com/t5/general-topics/vulnerability-id-31327/m-p/133096#M47164 nextgenhappines 2016-12-15T16:01:24Z https://live.paloaltonetworks.com/t5/general-topics/vulnerability-id-31327/m-p/135259#M47486 <P>The signature is disabed on 650-3771. &nbsp;According to TAC, there are too many false positive. &nbsp;Not sure what is the future plan of this specific signature will be.</P><P>&nbsp;</P><P>E</P> Fri, 30 Dec 2016 19:03:46 GMT https://live.paloaltonetworks.com/t5/general-topics/vulnerability-id-31327/m-p/135259#M47486 nextgenhappines 2016-12-30T19:03:46Z