topic Virus: use of the packet capture in General Topics

Virus: use of the packet capture

LoopSupport — Thu, 09 Dec 2010 00:00:01 GMT

Hi,

I wanted to know what you usually do when you see a Virus detected on the PA.

How do you check that it is not a false positive?

Do you use the packet capture in the case of a virus?

Does the name/id of the Virus help you to find more details on the web?

Thanks

Re: Virus: use of the packet capture

odaos — Fri, 10 Dec 2010 16:37:27 GMT

Hello,

To check if it is false positive, you will need to open a case with support and provide them the virus/threat information and also if possible a sample pcap.

Re: Virus: use of the packet capture

spolo — Thu, 03 Feb 2011 07:11:53 GMT

Hi LoopSupport,

You can use pcaps in the case of a virus, and the name and threat ID may help you find more detailed data generally on the internet. There are plenty of sites out there that have research data on viruses. The threat ID's may not always match though, and there are quite often variants of different viruses, so it may or may not help you with internet research in the end. As far as false positives, viruses are much more rare as false positives. It's not impossible, but it's far more rare than say, IPS signature false positives. If you're suspicious of a false positive virus detection, the PAN support team can help here. The PAN threat team has been presented cases in the past where a customer suspected a false positive, and in the end it turned out to be a true virus. This was determined by doing packet captures of the anomalous behavior and examination by the PAN threat team. Also don't forget that if you do come across a false positive, you always have the ability to create exceptions in your antivirus profile.

Hope this helps!