https://live.paloaltonetworks.com/t5/general-topics/blocking-action-with-virus-threat-but-can-t-find-information/m-p/8192#M6055 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>We have a user trying to access a website webinar and they are getting blocked with AV threat name Trojan/Js.Iframe.bgw ID: 259252.&nbsp; The details are as follows.</P><P></P><P><TABLE border="0" cellpadding="0" cellspacing="0" class="list"><TBODY><TR><TD align="left" class="dashboard_left">Log</TD><TD class="dashboard">THREAT</TD></TR><TR><TD align="left" class="dashboard_left_alternate">Type</TD><TD class="dashboard_alternate">virus</TD></TR><TR><TD align="left" class="dashboard_left">Receive Time</TD><TD class="dashboard">2010/03/22 14:03:23</TD></TR><TR><TD align="left" class="dashboard_left_alternate">Generation Time</TD><TD class="dashboard_alternate">2010/03/22 14:03:17</TD></TR><TR><TD align="left" class="dashboard_left">Threat Name</TD><TD class="dashboard">Trojan/Js.Iframe.bgw</TD></TR><TR><TD align="left" class="dashboard_left_alternate">Threat ID</TD><TD class="dashboard_alternate">259252</TD></TR><TR><TD align="left" class="dashboard_left">Direction</TD><TD class="dashboard">server-to-client</TD></TR><TR><TD align="left" class="dashboard_left_alternate">From Zone</TD><TD class="dashboard_alternate">FW_UplinkOutsid</TD></TR><TR><TD align="left" class="dashboard_left">To Zone</TD><TD class="dashboard">FW_UplinkInside</TD></TR><TR><TD align="left" class="dashboard_left_alternate">Attacker</TD><TD class="dashboard_alternate">4.53.17.200</TD></TR><TR><TD align="left" class="dashboard_left">Victim</TD><TD class="dashboard">10.0.99.20</TD></TR><TR><TD align="left" class="dashboard_left">From User</TD><TD class="dashboard"></TD></TR><TR><TD align="left" class="dashboard_left_alternate">To User</TD><TD class="dashboard_alternate"></TD></TR><TR><TD align="left" class="dashboard_left_alternate">From Port</TD><TD class="dashboard_alternate">80</TD></TR><TR><TD align="left" class="dashboard_left">To Port</TD><TD class="dashboard">3376</TD></TR><TR><TD align="left" class="dashboard_left_alternate">Protocol</TD><TD class="dashboard_alternate">tcp</TD></TR><TR><TD align="left" class="dashboard_left">Application</TD><TD class="dashboard">web-browsing</TD></TR><TR><TD align="left" class="dashboard_left_alternate">Action</TD><TD class="dashboard_alternate">deny</TD></TR><TR><TD align="left" class="dashboard_left">Severity</TD><TD class="dashboard">medium</TD></TR><TR><TD align="left" class="dashboard_left_alternate">Rule</TD><TD class="dashboard_alternate">Internet</TD></TR><TR><TD align="left" class="dashboard_left">Ingress I/F</TD><TD class="dashboard">ethernet1/5</TD></TR><TR><TD align="left" class="dashboard_left_alternate">Egress I/F</TD><TD class="dashboard_alternate">ethernet1/6</TD></TR><TR><TD align="left" class="dashboard_left">Log Action</TD><TD class="dashboard"></TD></TR><TR><TD align="left" class="dashboard_left_alternate">Virtual System</TD><TD class="dashboard_alternate">vsys3</TD></TR><TR><TD align="left" class="dashboard_left">Session Id</TD><TD class="dashboard">461655</TD></TR><TR><TD align="left" class="dashboard_left_alternate">Count</TD><TD class="dashboard_alternate">1</TD></TR><TR><TD align="left" class="dashboard_left">Configuration Version</TD><TD class="dashboard">8</TD></TR><TR><TD align="left" class="dashboard_left_alternate">Category</TD><TD class="dashboard_alternate">any</TD></TR><TR><TD align="left" class="dashboard_left">Others</TD><TD class="dashboard">hpbroadband.com</TD></TR><TR><TD align="left" class="dashboard_left_alternate">SSL Decrypted</TD><TD class="dashboard_alternate">no</TD></TR><TR><TD align="left" class="dashboard_left">NAT Applied</TD><TD class="dashboard">no</TD></TR><TR><TD align="left" class="dashboard_left_alternate">Packet Capture</TD><TD class="dashboard_alternate">no</TD></TR><TR><TD align="left" class="dashboard_left">Captive Portal</TD><TD class="dashboard">no</TD></TR><TR><TD align="left" class="dashboard_left_alternate">Proxy Transaction</TD><TD class="dashboard_alternate">no</TD></TR><TR><TD align="left" class="dashboard_left">Serial #</TD><TD class="dashboard"></TD></TR></TBODY></TABLE></P></BODY></HTML> Mon, 22 Mar 2010 14:33:11 GMT aveva_palo 2010-03-22T14:33:11Z https://live.paloaltonetworks.com/t5/general-topics/blocking-action-with-virus-threat-but-can-t-find-information/m-p/8192#M6055 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>We have a user trying to access a website webinar and they are getting blocked with AV threat name Trojan/Js.Iframe.bgw ID: 259252.&nbsp; The details are as follows.</P><P></P><P><TABLE border="0" cellpadding="0" cellspacing="0" class="list"><TBODY><TR><TD align="left" class="dashboard_left">Log</TD><TD class="dashboard">THREAT</TD></TR><TR><TD align="left" class="dashboard_left_alternate">Type</TD><TD class="dashboard_alternate">virus</TD></TR><TR><TD align="left" class="dashboard_left">Receive Time</TD><TD class="dashboard">2010/03/22 14:03:23</TD></TR><TR><TD align="left" class="dashboard_left_alternate">Generation Time</TD><TD class="dashboard_alternate">2010/03/22 14:03:17</TD></TR><TR><TD align="left" class="dashboard_left">Threat Name</TD><TD class="dashboard">Trojan/Js.Iframe.bgw</TD></TR><TR><TD align="left" class="dashboard_left_alternate">Threat ID</TD><TD class="dashboard_alternate">259252</TD></TR><TR><TD align="left" class="dashboard_left">Direction</TD><TD class="dashboard">server-to-client</TD></TR><TR><TD align="left" class="dashboard_left_alternate">From Zone</TD><TD class="dashboard_alternate">FW_UplinkOutsid</TD></TR><TR><TD align="left" class="dashboard_left">To Zone</TD><TD class="dashboard">FW_UplinkInside</TD></TR><TR><TD align="left" class="dashboard_left_alternate">Attacker</TD><TD class="dashboard_alternate">4.53.17.200</TD></TR><TR><TD align="left" class="dashboard_left">Victim</TD><TD class="dashboard">10.0.99.20</TD></TR><TR><TD align="left" class="dashboard_left">From User</TD><TD class="dashboard"></TD></TR><TR><TD align="left" class="dashboard_left_alternate">To User</TD><TD class="dashboard_alternate"></TD></TR><TR><TD align="left" class="dashboard_left_alternate">From Port</TD><TD class="dashboard_alternate">80</TD></TR><TR><TD align="left" class="dashboard_left">To Port</TD><TD class="dashboard">3376</TD></TR><TR><TD align="left" class="dashboard_left_alternate">Protocol</TD><TD class="dashboard_alternate">tcp</TD></TR><TR><TD align="left" class="dashboard_left">Application</TD><TD class="dashboard">web-browsing</TD></TR><TR><TD align="left" class="dashboard_left_alternate">Action</TD><TD class="dashboard_alternate">deny</TD></TR><TR><TD align="left" class="dashboard_left">Severity</TD><TD class="dashboard">medium</TD></TR><TR><TD align="left" class="dashboard_left_alternate">Rule</TD><TD class="dashboard_alternate">Internet</TD></TR><TR><TD align="left" class="dashboard_left">Ingress I/F</TD><TD class="dashboard">ethernet1/5</TD></TR><TR><TD align="left" class="dashboard_left_alternate">Egress I/F</TD><TD class="dashboard_alternate">ethernet1/6</TD></TR><TR><TD align="left" class="dashboard_left">Log Action</TD><TD class="dashboard"></TD></TR><TR><TD align="left" class="dashboard_left_alternate">Virtual System</TD><TD class="dashboard_alternate">vsys3</TD></TR><TR><TD align="left" class="dashboard_left">Session Id</TD><TD class="dashboard">461655</TD></TR><TR><TD align="left" class="dashboard_left_alternate">Count</TD><TD class="dashboard_alternate">1</TD></TR><TR><TD align="left" class="dashboard_left">Configuration Version</TD><TD class="dashboard">8</TD></TR><TR><TD align="left" class="dashboard_left_alternate">Category</TD><TD class="dashboard_alternate">any</TD></TR><TR><TD align="left" class="dashboard_left">Others</TD><TD class="dashboard">hpbroadband.com</TD></TR><TR><TD align="left" class="dashboard_left_alternate">SSL Decrypted</TD><TD class="dashboard_alternate">no</TD></TR><TR><TD align="left" class="dashboard_left">NAT Applied</TD><TD class="dashboard">no</TD></TR><TR><TD align="left" class="dashboard_left_alternate">Packet Capture</TD><TD class="dashboard_alternate">no</TD></TR><TR><TD align="left" class="dashboard_left">Captive Portal</TD><TD class="dashboard">no</TD></TR><TR><TD align="left" class="dashboard_left_alternate">Proxy Transaction</TD><TD class="dashboard_alternate">no</TD></TR><TR><TD align="left" class="dashboard_left">Serial #</TD><TD class="dashboard"></TD></TR></TBODY></TABLE></P></BODY></HTML> Mon, 22 Mar 2010 14:33:11 GMT https://live.paloaltonetworks.com/t5/general-topics/blocking-action-with-virus-threat-but-can-t-find-information/m-p/8192#M6055 aveva_palo 2010-03-22T14:33:11Z https://live.paloaltonetworks.com/t5/general-topics/blocking-action-with-virus-threat-but-can-t-find-information/m-p/8193#M6056 <HTML><HEAD></HEAD><BODY><P>If you think this is a false positive you can set an exception for this by simply clicking on the threat name from the threat log, then click on "show" next to exceptions, the click on "add".</P><P>To pursue this further you will need to call into support so we can take look at this and perhaps refer this to engineering to correct our content.</P><P></P><P></P><P></P><P></P><P>Thanks</P></BODY></HTML> Tue, 23 Mar 2010 19:37:04 GMT https://live.paloaltonetworks.com/t5/general-topics/blocking-action-with-virus-threat-but-can-t-find-information/m-p/8193#M6056 swhyte 2010-03-23T19:37:04Z https://live.paloaltonetworks.com/t5/general-topics/blocking-action-with-virus-threat-but-can-t-find-information/m-p/8194#M6057 <HTML><HEAD></HEAD><BODY><P>this issue went after an AV and threat definition update.</P></BODY></HTML> Fri, 26 Mar 2010 11:21:17 GMT https://live.paloaltonetworks.com/t5/general-topics/blocking-action-with-virus-threat-but-can-t-find-information/m-p/8194#M6057 aveva_palo 2010-03-26T11:21:17Z