https://live.paloaltonetworks.com/t5/general-topics/zero-access-question/m-p/8242#M6088 <HTML><HEAD></HEAD><BODY><P>Hi Fred,</P><P></P><P>End user has no access to signatures. "ZeroAccess" is a category where Trojan Horse hides itself. PANW can verify each exe if proper policies are applied. And can detect Trojan hourse.</P><P></P><P>Provide me more specific detail query on "ZeroAccess Alert".</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Thu, 19 Mar 2015 20:22:20 GMT hshah 2015-03-19T20:22:20Z https://live.paloaltonetworks.com/t5/general-topics/zero-access-question/m-p/8240#M6086 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>I am new to this website, so I apologize if this is in the wrong location.</P><P></P><P>Can someone clarify for me what the ZeroAccess alert in the Palo Alto is triggering upon? How do I review the signature?</P><P></P><P>Thank you for you assistance.</P></BODY></HTML> Thu, 19 Mar 2015 19:49:58 GMT https://live.paloaltonetworks.com/t5/general-topics/zero-access-question/m-p/8240#M6086 Fred_Zierold 2015-03-19T19:49:58Z https://live.paloaltonetworks.com/t5/general-topics/zero-access-question/m-p/8241#M6087 <HTML><HEAD></HEAD><BODY><P>Depending on which ID it is giving you, you can look in the threat vault for a description:</P><P><A href="https://threatvault.paloaltonetworks.com/" title="https://threatvault.paloaltonetworks.com/">https://threatvault.paloaltonetworks.com/</A></P><P></P><P>For example, here is a listing for the first ID (13298):</P><P><A href="https://threatvault.paloaltonetworks.com/Home/ThreatDetail/13298" title="https://threatvault.paloaltonetworks.com/Home/ThreatDetail/13298">https://threatvault.paloaltonetworks.com/Home/ThreatDetail/13298</A></P></BODY></HTML> Thu, 19 Mar 2015 20:06:41 GMT https://live.paloaltonetworks.com/t5/general-topics/zero-access-question/m-p/8241#M6087 Dz3015 2015-03-19T20:06:41Z https://live.paloaltonetworks.com/t5/general-topics/zero-access-question/m-p/8242#M6088 <HTML><HEAD></HEAD><BODY><P>Hi Fred,</P><P></P><P>End user has no access to signatures. "ZeroAccess" is a category where Trojan Horse hides itself. PANW can verify each exe if proper policies are applied. And can detect Trojan hourse.</P><P></P><P>Provide me more specific detail query on "ZeroAccess Alert".</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Thu, 19 Mar 2015 20:22:20 GMT https://live.paloaltonetworks.com/t5/general-topics/zero-access-question/m-p/8242#M6088 hshah 2015-03-19T20:22:20Z https://live.paloaltonetworks.com/t5/general-topics/zero-access-question/m-p/8243#M6089 <HTML><HEAD></HEAD><BODY><P>This is the alert we are seeing.&nbsp;&nbsp; I just want a better idea what it is triggering on.&nbsp; We had another system which gave us many many false positive ZeroAccess alerts.&nbsp; Before I start pulling computers for malware analysis, I want to find out what is causing this to trigger.</P><P></P><P>Thanks.</P><P></P><P></P><TABLE border="0" cellpadding="0" cellspacing="0" class="retro"><TBODY><TR><TD class="retro" width="180">Name:</TD><TD class="retro-value">ZeroAccess.Gen Command and Control Traffic</TD></TR><TR><TD class="retro" width="180">ID:</TD><TD class="retro-value">13235</TD></TR><TR><TD class="retro">Description:</TD><TD class="retro-value">&nbsp; This signature detects ZeroAccess.Gen Command and Control Traffic.&nbsp; </TD></TR></TBODY></TABLE><P></P></BODY></HTML> Mon, 23 Mar 2015 17:06:54 GMT https://live.paloaltonetworks.com/t5/general-topics/zero-access-question/m-p/8243#M6089 Fred_Zierold 2015-03-23T17:06:54Z https://live.paloaltonetworks.com/t5/general-topics/zero-access-question/m-p/8244#M6090 <HTML><HEAD></HEAD><BODY><P>Hi Fred,</P><P></P><P>System is under botnet attach, please refer following link.</P><P><A href="https://threatvault.paloaltonetworks.com/Home/ThreatDetail/13235" title="https://threatvault.paloaltonetworks.com/Home/ThreatDetail/13235">https://threatvault.paloaltonetworks.com/Home/ThreatDetail/13235</A></P><P></P><P>Let me know for additional query.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Mon, 23 Mar 2015 17:13:32 GMT https://live.paloaltonetworks.com/t5/general-topics/zero-access-question/m-p/8244#M6090 hshah 2015-03-23T17:13:32Z https://live.paloaltonetworks.com/t5/general-topics/zero-access-question/m-p/8245#M6091 <HTML><HEAD></HEAD><BODY><P>Hi Fred,</P><P></P><P>13235 is a generic botnet detector. It is typically triggered with requests to known Command &amp; Control (C&amp;C) servers, hostnames, or IPs.&nbsp; Please find more information.</P><P><A class="jive-link-external-small" href="https://threatvault.paloaltonetworks.com/Home/ThreatDetail/13235" rel="nofollow" style="font-weight: inherit; font-style: inherit; font-family: inherit; color: #006595;">https://threatvault.paloaltonetworks.com/Home/ThreatDetail/13235</A></P><P></P><P>A full AV scan of the affected machine would likely show results, as long as any associated malware has not disabled the AV scanner. </P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Mon, 23 Mar 2015 17:17:04 GMT https://live.paloaltonetworks.com/t5/general-topics/zero-access-question/m-p/8245#M6091 hshah 2015-03-23T17:17:04Z https://live.paloaltonetworks.com/t5/general-topics/zero-access-question/m-p/8246#M6092 <HTML><HEAD></HEAD><BODY><P>I think this is a false positive.&nbsp; I just spoke with the person whose computer this is and it was reimaged for zeroaccess over a month ago.&nbsp; Yet the alerts are continuing.</P><P></P><P>I spoke with the original analyst on the case and he feels this alert is generating alerts on inbound traffic.&nbsp; The Palo Alto screen shows that our computer is attacking, however upon packet review the inbound traffic is causing the alert.</P><P></P><P>Hshah do you work for PA?</P></BODY></HTML> Mon, 23 Mar 2015 17:59:50 GMT https://live.paloaltonetworks.com/t5/general-topics/zero-access-question/m-p/8246#M6092 Fred_Zierold 2015-03-23T17:59:50Z https://live.paloaltonetworks.com/t5/general-topics/zero-access-question/m-p/8247#M6093 <HTML><HEAD></HEAD><BODY><P>Hi Fred,</P><P></P><P>In Threat log direction should be "server-to-client", if yes. Than it means attacker is on internet.</P><P></P><P>If you think its a false positive, than you might want to create exception for that. Let me know if you need any help with that.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Mon, 23 Mar 2015 18:12:01 GMT https://live.paloaltonetworks.com/t5/general-topics/zero-access-question/m-p/8247#M6093 hshah 2015-03-23T18:12:01Z https://live.paloaltonetworks.com/t5/general-topics/zero-access-question/m-p/8248#M6094 <HTML><HEAD></HEAD><BODY><P>Fred, </P><P></P><P>sounds right.&nbsp; Perhaps the system is still on client lists for the C&amp;C servers so they are still attempting to communicate.&nbsp; Does that system have it's own public IP?</P></BODY></HTML> Mon, 23 Mar 2015 19:06:54 GMT https://live.paloaltonetworks.com/t5/general-topics/zero-access-question/m-p/8248#M6094 Dz3015 2015-03-23T19:06:54Z