topic Virus/Win32.WGeneric.akrgog in General Topics

Virus/Win32.WGeneric.akrgog

hedery_hl — Wed, 08 Jul 2020 21:32:41 GMT

Hello,

I'm getting a Threat Detection - Virus/malware identified by the name "Virus/Win32.WGeneric.akrgog" when a user tries to open a particular PDF file. When looking at the Threat log I can see the PDF file being blocked and identified as a 'Virus.' In the same session, I can also see additional files with the extension .aspx being allowed. I think it's a false positive, but I'm not able to confirm this. I ran the hash value of the PDF file on Virus Total, and it did not find a match. I know that I can put an exception on the signature and allow the file, but I wanted to see if anyone has a better way to go about this.

Thank you.

Re: Virus/Win32.WGeneric.akrgog

BPry — Thu, 09 Jul 2020 04:17:40 GMT

@hedery_hl,

If you can verify that the PDF isn't malicious it's likely just a false positive on the threat signature, which isn't that uncommon. You'll either need to create an exception for the traffic once you've verified it isn't a threat, or open a case with TAC and see if the signature doesn't need to be tuned a bit since it was just released at the tale end of June.

Re: Virus/Win32.WGeneric.akrgog

Retired Member — Thu, 09 Jul 2020 08:45:50 GMT

Hello @hedery_hl,

I have taken a look at "Virus/Win32.WGeneric.akrgog" in the PANW Threat Vault and cross-checked the SHA256s in the VirusTotal - only 2/10 were identified as malicious and with low detection rates (7/61, 9/62):

https://www.virustotal.com/gui/file/7903b51a0840b64c00f6a39ab3e9b4b1a4880a46bc0bdca8b3bba4abf3392def/

https://www.virustotal.com/gui/file/85b51b37e403a7e760b146f26f63f1774b5a041b533b152bb6781e596c4e546a/

By no means should you trust this file to be safe based only on VirusTotal.

I can recommend, if possible, uploading it into sandbox solution to get a bigger picture.

Is this file publicly available? Could you possible share the URL or, at least, SHA256?

@BPry have you seen a lot of FPs on AV/WF signatures?

Re: Virus/Win32.WGeneric.akrgog

BPry — Thu, 09 Jul 2020 14:23:00 GMT

@Retired Member,

It's not uncommon for me to see a few false positive signatures a month across all environments. They usually get tuned relatively quickly however as people report issues with the signatures once they've been introduced so its not that big of an issue for me personally.

Re: Virus/Win32.WGeneric.akrgog

hedery_hl — Fri, 10 Jul 2020 19:09:18 GMT

Thank you for cross checking the hash on Virus Total. Unfortunelty the file is confidential and cannot be shared outside my organization.

I'm curious about the Sandbox option you mentioned, is this is Palo Alto service?

To answer you question, it is not very common that I experience False positives.

Re: Virus/Win32.WGeneric.akrgog

Retired Member — Mon, 13 Jul 2020 09:15:55 GMT

@hedery_hl,

Yes, PANW has a dedicated sandbox service - https://www.paloaltonetworks.com/products/secure-the-network/wildfire; it can be integrated with PA firewall, used directly through WidlFire Portal (https://wildfire.paloaltonetworks.com/wildfire/dashboard) or brought on-premise as a dedicated WF-500 Appliance (https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/hardware/wf-500/wf-500-hardware-reference-guide.pdf).