topic Re: Threat False Positives? in General Topics

Threat False Positives?

OGMaverick — Wed, 10 Oct 2018 12:08:33 GMT

Our threat logs are full of 'Fallout Exploit Kit Detection' this morning from many of our networks, although no actul issues have been found.

Re: Threat False Positives?

bbilut — Wed, 10 Oct 2018 13:17:12 GMT

Same here...I installed 8077 this morning when I get in after reading the email and I'm getting Fallout alerts like crazy. I don't have as many as you, but people just starting coming in.

Re: Threat False Positives?

BPry — Wed, 10 Oct 2018 13:39:43 GMT

@bbilut @OGMaverick,

For the time being I would recommend rolling this back to 8076. The Fallout siganture has actually been around since 8074, but whatever modification PA has done to the signature is a tad to broad at the moment.

Re: Threat False Positives?

bbilut — Wed, 10 Oct 2018 14:05:42 GMT

I'm rolling back to 8076 and I'll report back what happens. I was getting a detection about every minute or multiple per minute with 8077.

Edit: 8076 seems to have stopped the mass amount of alerts.

Re: Threat False Positives?

OtakarKlier — Wed, 10 Oct 2018 14:00:56 GMT

Hello,

Looks like this was the emergency update that came out last night:

I usually set my dynamic updates with a threshold that will allow the updates to bake since they have released bum updates in the past. I understand there are some environments where this is not possible.

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/threat-prevention/best-practices-for-content-and-threat-content-updates.html

Regards,

Re: Threat False Positives?

pkowalewski — Wed, 10 Oct 2018 14:27:00 GMT

I m rolling back to 8076 - and alers from IPS disappear.

Re: Threat False Positives?

CTW1983 — Wed, 10 Oct 2018 14:32:41 GMT

Yeah, we are also getting a lot of the Threat ID 30650 events. All events seem to include a *.min.js or *.js file name.

Re: Threat False Positives?

pkowalewski — Wed, 10 Oct 2018 14:36:18 GMT

I had the same files - *.js

Re: Threat False Positives?

bbilut — Wed, 10 Oct 2018 14:36:49 GMT

I do the same... I'm usually a week behind because their updates have burnt me in the past several times. This one seemed urgent so I manually updated this morning. I guess that was a mistake.

Re: Threat False Positives?

pkowalewski — Wed, 10 Oct 2018 14:47:32 GMT

..Palo Alto - not often makes mistakes in signatures... but .... 🙂 it happend...

Re: Threat False Positives?

OtakarKlier — Wed, 10 Oct 2018 15:00:38 GMT

Agreed, no one is perfect. I usually have a 24 hour threshold on any new signatures for app/threat.

Re: Threat False Positives?

M.Eberhardt — Wed, 10 Oct 2018 16:12:01 GMT

Same here. PaloAlto 5050 with Application and Threat Version 8077-5070.

Many critical threat log entrys with name-of-threatid eq 'Fallout Exploit Kit Detection' as false-positives.

Re: Threat False Positives?

hshawn — Wed, 10 Oct 2018 16:20:35 GMT

I looked at the js files being flagged. there must be something in them that is a close match. since these are not critial .js files I am leaving the block in place for now. Has anyone reported this to PA yet?

Re: Threat False Positives?

mikebowen — Wed, 10 Oct 2018 16:39:13 GMT

I just opened a case with PA to see what they say. So far it's creating an issue for one website we use, blocking a particular js file from loading and rendering the website inoperable.

Re: Threat False Positives?

BPry — Wed, 10 Oct 2018 17:47:55 GMT

FYI,

8078 was just released that is suppose to address the issue.

Re: Threat False Positives?

JasonLavetan — Wed, 10 Oct 2018 19:06:27 GMT

8078 is working for us.

Re: Threat False Positives?

SteveRuberti — Wed, 10 Oct 2018 20:51:48 GMT

Same here getting pelted with .js alerts

Re: Threat False Positives?

pkowalewski — Thu, 11 Oct 2018 07:01:17 GMT

After instalation 8078 IPS/IDS - working fine....