https://live.paloaltonetworks.com/t5/general-topics/url-classified-as-malware-but-not-sinkholed/m-p/207656#M60841 <P>Hello,</P><P>&nbsp;</P><P>Quick question for a specific URL (cia.toh.info)&nbsp; This URL is classified as malware in PAN-DB but doesn't show ip in the AV release notes as a malware site so it doesn't get sinkholed when we do a DNS lookup for that url.&nbsp; We've noticed other URLs exhibiting the same behavior.</P><P>&nbsp;</P><P>Has anyone else seen this?&nbsp; Is there a disconnect between the PAN-DB classification and the AV (sinkhole) database?</P><P>&nbsp;</P><P>Thanks.</P> Tue, 27 Mar 2018 13:02:44 GMT epeeler 2018-03-27T13:02:44Z https://live.paloaltonetworks.com/t5/general-topics/url-classified-as-malware-but-not-sinkholed/m-p/207656#M60841 <P>Hello,</P><P>&nbsp;</P><P>Quick question for a specific URL (cia.toh.info)&nbsp; This URL is classified as malware in PAN-DB but doesn't show ip in the AV release notes as a malware site so it doesn't get sinkholed when we do a DNS lookup for that url.&nbsp; We've noticed other URLs exhibiting the same behavior.</P><P>&nbsp;</P><P>Has anyone else seen this?&nbsp; Is there a disconnect between the PAN-DB classification and the AV (sinkhole) database?</P><P>&nbsp;</P><P>Thanks.</P> Tue, 27 Mar 2018 13:02:44 GMT https://live.paloaltonetworks.com/t5/general-topics/url-classified-as-malware-but-not-sinkholed/m-p/207656#M60841 epeeler 2018-03-27T13:02:44Z https://live.paloaltonetworks.com/t5/general-topics/url-classified-as-malware-but-not-sinkholed/m-p/207670#M60843 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/8533">@epeeler</a></P><P>&nbsp;</P><P>These two sources aren't in sync completely. This domain was sinkholed with a WF update from 20160505. Some time after that the domain was removed from the dns signatures. This needs to be done over time, when it is "safe" to remove it. The list of dns signatures would simply be too big for the firewalls to handle if it would contain ALL malware domains from PAN-DB. For the dns signatures there is no cloud lookup like with PAN-DB.</P><P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7608">@reaper</a>: Do you agree?</P><P>&nbsp;</P><P>Regards,</P><P>Remo</P> Tue, 27 Mar 2018 13:33:54 GMT https://live.paloaltonetworks.com/t5/general-topics/url-classified-as-malware-but-not-sinkholed/m-p/207670#M60843 Remo 2018-03-27T13:33:54Z