https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12517#M9166 <HTML><HEAD></HEAD><BODY><P>Hi Steven -- The confusion here stems from the fact that folks are looking at threatvault2.paloaltonetworks.com rather than wildfire.paloaltonetworks.com. To be clear, the Havex samples are classified as malware, have been since June 24, and would show up with that verdict if seen on a firewall that has access to the WildFire cloud today. There <EM>absolutely</EM> is a feedback mechanism in place here.</P><P></P><P>The individual VM verdicts shown in ThreatVault (e.g. "This sample was found to be benign on this virtual machine") are an oversight on our part -- they don't always correspond to the current disposition of the sample, and weren't intended for display in ThreatVault reports. I've filed a bug to have them removed so we can avoid confusion on this issue in the future.</P></BODY></HTML> Thu, 10 Jul 2014 01:21:30 GMT cblackmore 2014-07-10T01:21:30Z https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12494#M9143 <HTML><HEAD></HEAD><BODY><P>Hi all,</P><P></P><P>Do you have any information about PAN detection capability for the Havex malware family: <A href="http://www.f-secure.com/weblog/archives/00002718.html" title="http://www.f-secure.com/weblog/archives/00002718.html">http://www.f-secure.com/weblog/archives/00002718.html</A></P><P></P><P>Threat vault seems to produce no hits at the moment. </P><P></P><P>Tuomo</P></BODY></HTML> Tue, 24 Jun 2014 10:47:34 GMT https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12494#M9143 Tuomo 2014-06-24T10:47:34Z https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12495#M9144 <HTML><HEAD></HEAD><BODY><P>I would like more information on this too.</P><P></P><P>Nick</P></BODY></HTML> Fri, 27 Jun 2014 08:51:35 GMT https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12495#M9144 ITInfraNL 2014-06-27T08:51:35Z https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12496#M9145 <HTML><HEAD></HEAD><BODY><P>This is not showing up yet in the threat vault as an existing update for PA.</P><P></P><P><A href="https://threatvault.paloaltonetworks.com/" title="https://threatvault.paloaltonetworks.com/">https://threatvault.paloaltonetworks.com/</A></P><P></P><P>You can open a ticket with support to get a more specific update.</P></BODY></HTML> Sat, 28 Jun 2014 00:10:50 GMT https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12496#M9145 pulukas 2014-06-28T00:10:50Z https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12497#M9146 <HTML><HEAD></HEAD><BODY><P>Did you got some more information about havex/oldrea malware coverage in the threat signatures unitl now?</P><P></P><P>Andy</P></BODY></HTML> Wed, 02 Jul 2014 05:36:37 GMT https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12497#M9146 PANUser-1234 2014-07-02T05:36:37Z https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12498#M9147 <HTML><HEAD></HEAD><BODY><P>Any update from PA?</P></BODY></HTML> Wed, 02 Jul 2014 07:25:20 GMT https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12498#M9147 LCMember2327 2014-07-02T07:25:20Z https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12499#M9148 <HTML><HEAD></HEAD><BODY><P>While we wait for Palo Alto to wake up; please have a look at these:</P><P></P><P><A href="http://www.symantec.com/connect/blogs/dragonfly-western-energy-companies-under-sabotage-threat" title="http://www.symantec.com/connect/blogs/dragonfly-western-energy-companies-under-sabotage-threat">http://www.symantec.com/connect/blogs/dragonfly-western-energy-companies-under-sabotage-threat</A></P><P><A href="http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf" title="http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf">http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf</A></P><P></P><P>-=Tommy=-</P></BODY></HTML> Wed, 02 Jul 2014 07:41:53 GMT https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12499#M9148 Dulle 2014-07-02T07:41:53Z https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12500#M9149 <HTML><HEAD></HEAD><BODY><P>If this is a critical vulnerability to you, I would open a ticket. This will get the signature escalated internally.</P><P></P><P>You can't expect an official update from PA here.&nbsp; These are just user to user support forums.&nbsp; We are lucky that many PA employees spend a great deal of time here.&nbsp; But official support is still via tickets to the support portal.</P></BODY></HTML> Wed, 02 Jul 2014 11:17:41 GMT https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12500#M9149 pulukas 2014-07-02T11:17:41Z https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12501#M9150 <HTML><HEAD></HEAD><BODY><P>But we have.....</P></BODY></HTML> Wed, 02 Jul 2014 11:35:39 GMT https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12501#M9150 Dulle 2014-07-02T11:35:39Z https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12502#M9151 <HTML><HEAD></HEAD><BODY><P>Looks like Havex made it into the ThreatVault:</P><P></P><P><A href="https://threatvault.paloaltonetworks.com/Home/VirusDetail/2889719" title="https://threatvault.paloaltonetworks.com/Home/VirusDetail/2889719">https://threatvault.paloaltonetworks.com/Home/VirusDetail/2889719</A></P></BODY></HTML> Wed, 02 Jul 2014 11:46:27 GMT https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12502#M9151 ericgearhart 2014-07-02T11:46:27Z https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12503#M9152 <HTML><HEAD></HEAD><BODY><P>Interestingly enough if you click on the hash links, PA's own WildFire flags it as benign! Hmph. :smileyplain:</P></BODY></HTML> Wed, 02 Jul 2014 11:47:49 GMT https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12503#M9152 ericgearhart 2014-07-02T11:47:49Z https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12504#M9153 <HTML><HEAD></HEAD><BODY><P>I guess that is just a one way conversation, wildfire pushes signatures to threats but not back the other way.</P><P></P><P>They did just add this because I checked before posting this morning earlier and it wasn't there yet.</P></BODY></HTML> Wed, 02 Jul 2014 11:51:26 GMT https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12504#M9153 pulukas 2014-07-02T11:51:26Z https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12505#M9154 <HTML><HEAD></HEAD><BODY><P>We uploaded a sample of havex to Wildfire ca June 20th - problem is they don't check it on Acrobat reader 10.x....<BR />PAN also need to update their Virtual machines...</P></BODY></HTML> Wed, 02 Jul 2014 11:54:21 GMT https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12505#M9154 pivvre 2014-07-02T11:54:21Z https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12506#M9155 <HTML><HEAD></HEAD><BODY><P>Hello All,</P><P></P><P>We have coverage for Havex malware.</P><P>Please upgrade to latest Anti virus version released today.</P><P></P><P>Regards,</P><P>Hari Yadavalli</P></BODY></HTML> Wed, 02 Jul 2014 15:05:18 GMT https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12506#M9155 hyadavalli 2014-07-02T15:05:18Z https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12507#M9156 <HTML><HEAD></HEAD><BODY><P>Does WildFire flag a sample as malicious yet :smileylaugh:</P></BODY></HTML> Wed, 02 Jul 2014 15:25:00 GMT https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12507#M9156 ericgearhart 2014-07-02T15:25:00Z https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12508#M9157 <HTML><HEAD></HEAD><BODY><P>Based on the SHA provided in initial comment I see wildfire reported as malicious</P></BODY></HTML> Wed, 02 Jul 2014 15:49:28 GMT https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12508#M9157 hyadavalli 2014-07-02T15:49:28Z https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12509#M9158 <HTML><HEAD></HEAD><BODY><P><IMG alt="benign.png" class="image-0 jive-image" height="711" src="https://live.paloaltonetworks.com/legacyfs/online/14239_benign.png" style="height: 711px; width: 1044.6px;" width="1045" /></P></BODY></HTML> Wed, 02 Jul 2014 16:04:42 GMT https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12509#M9158 ericgearhart 2014-07-02T16:04:42Z https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12510#M9159 <HTML><HEAD></HEAD><BODY><P>I only see one SHA reported as malware and rest as benign.</P><P>Please open a case with palo alto support and they'll address the issue with wildfire.</P></BODY></HTML> Wed, 02 Jul 2014 16:54:55 GMT https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12510#M9159 hyadavalli 2014-07-02T16:54:55Z https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12511#M9160 <HTML><HEAD></HEAD><BODY><P>I don't have a sample of the malware, I'm just "stirring the pot" to be honest</P></BODY></HTML> Wed, 02 Jul 2014 16:56:57 GMT https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12511#M9160 ericgearhart 2014-07-02T16:56:57Z https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12512#M9161 <HTML><HEAD></HEAD><BODY><P>Interesting info in Brightclouds Webinar on Dragonfly/havex right now,</P><P>I asked if there has been any information exchange between Symantec (which has a lot of information - and protect users - on Dragonfly/havex) and Paloalto. They said the did info ex with a lot of company, but not PAN - why not?</P></BODY></HTML> Thu, 03 Jul 2014 09:42:31 GMT https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12512#M9161 pivvre 2014-07-03T09:42:31Z https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12513#M9162 <HTML><HEAD></HEAD><BODY><P><SPAN class="j-post-author"><A _jive_internal="true" class="jiveTT-hover-user jive-username-link" data-avatarid="1643" data-externalid="" data-presence="null" data-userid="16909" data-username="hyadavalli" href="https://live.paloaltonetworks.com/people/hyadavalli">hyadavalli,</A></SPAN></P><P><SPAN class="j-post-author"><BR /></SPAN></P><P><SPAN class="j-post-author">Based on your responses here, I assume you work for PA.&nbsp; Can you explain what happens with new signatures like this against the existing file database that was deemed benign?</SPAN></P><P><SPAN class="j-post-author"><BR /></SPAN></P><P><SPAN class="j-post-author"> Some of these "benign" files will be previously unknown viruses like Havex.&nbsp; Does Wildfire check them again against new signatures?</SPAN></P><P><SPAN class="j-post-author">If a previously flagged benign file is uploaded again, is this automatically benign from the previous verdict?</SPAN></P><P><SPAN class="j-post-author">In short, how does PA clean up the hash database to be sure the new viruses are successfully identified?<BR /></SPAN></P></BODY></HTML> Fri, 04 Jul 2014 10:44:18 GMT https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12513#M9162 pulukas 2014-07-04T10:44:18Z