https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12518#M9167 <HTML><HEAD></HEAD><BODY><P><SPAN class="j-post-author"><STRONG><A _jive_internal="true" class="jiveTT-hover-user jive-username-link" data-avatarid="-1" data-externalid="" data-presence="null" data-userid="27408" data-username="cblackmore" href="https://live.paloaltonetworks.com/people/cblackmore">cblackmore</A> </STRONG></SPAN>,</P><P></P><P>Thanks for the response on the process.&nbsp; This is the response I was looking for ultimately from PA.&nbsp; I do have one question then.&nbsp; </P><P></P><P>If the threat vault vm verdict is not the correct procedure to determine a files status, what is the procedure we should use to verify a files status in Wildfire?</P></BODY></HTML> Thu, 10 Jul 2014 11:51:08 GMT pulukas 2014-07-10T11:51:08Z https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12494#M9143 <HTML><HEAD></HEAD><BODY><P>Hi all,</P><P></P><P>Do you have any information about PAN detection capability for the Havex malware family: <A href="http://www.f-secure.com/weblog/archives/00002718.html" title="http://www.f-secure.com/weblog/archives/00002718.html">http://www.f-secure.com/weblog/archives/00002718.html</A></P><P></P><P>Threat vault seems to produce no hits at the moment. </P><P></P><P>Tuomo</P></BODY></HTML> Tue, 24 Jun 2014 10:47:34 GMT https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12494#M9143 Tuomo 2014-06-24T10:47:34Z https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12495#M9144 <HTML><HEAD></HEAD><BODY><P>I would like more information on this too.</P><P></P><P>Nick</P></BODY></HTML> Fri, 27 Jun 2014 08:51:35 GMT https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12495#M9144 ITInfraNL 2014-06-27T08:51:35Z https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12496#M9145 <HTML><HEAD></HEAD><BODY><P>This is not showing up yet in the threat vault as an existing update for PA.</P><P></P><P><A href="https://threatvault.paloaltonetworks.com/" title="https://threatvault.paloaltonetworks.com/">https://threatvault.paloaltonetworks.com/</A></P><P></P><P>You can open a ticket with support to get a more specific update.</P></BODY></HTML> Sat, 28 Jun 2014 00:10:50 GMT https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12496#M9145 pulukas 2014-06-28T00:10:50Z https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12497#M9146 <HTML><HEAD></HEAD><BODY><P>Did you got some more information about havex/oldrea malware coverage in the threat signatures unitl now?</P><P></P><P>Andy</P></BODY></HTML> Wed, 02 Jul 2014 05:36:37 GMT https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12497#M9146 PANUser-1234 2014-07-02T05:36:37Z https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12498#M9147 <HTML><HEAD></HEAD><BODY><P>Any update from PA?</P></BODY></HTML> Wed, 02 Jul 2014 07:25:20 GMT https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12498#M9147 LCMember2327 2014-07-02T07:25:20Z https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12499#M9148 <HTML><HEAD></HEAD><BODY><P>While we wait for Palo Alto to wake up; please have a look at these:</P><P></P><P><A href="http://www.symantec.com/connect/blogs/dragonfly-western-energy-companies-under-sabotage-threat" title="http://www.symantec.com/connect/blogs/dragonfly-western-energy-companies-under-sabotage-threat">http://www.symantec.com/connect/blogs/dragonfly-western-energy-companies-under-sabotage-threat</A></P><P><A href="http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf" title="http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf">http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf</A></P><P></P><P>-=Tommy=-</P></BODY></HTML> Wed, 02 Jul 2014 07:41:53 GMT https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12499#M9148 Dulle 2014-07-02T07:41:53Z https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12500#M9149 <HTML><HEAD></HEAD><BODY><P>If this is a critical vulnerability to you, I would open a ticket. This will get the signature escalated internally.</P><P></P><P>You can't expect an official update from PA here.&nbsp; These are just user to user support forums.&nbsp; We are lucky that many PA employees spend a great deal of time here.&nbsp; But official support is still via tickets to the support portal.</P></BODY></HTML> Wed, 02 Jul 2014 11:17:41 GMT https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12500#M9149 pulukas 2014-07-02T11:17:41Z https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12501#M9150 <HTML><HEAD></HEAD><BODY><P>But we have.....</P></BODY></HTML> Wed, 02 Jul 2014 11:35:39 GMT https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12501#M9150 Dulle 2014-07-02T11:35:39Z https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12502#M9151 <HTML><HEAD></HEAD><BODY><P>Looks like Havex made it into the ThreatVault:</P><P></P><P><A href="https://threatvault.paloaltonetworks.com/Home/VirusDetail/2889719" title="https://threatvault.paloaltonetworks.com/Home/VirusDetail/2889719">https://threatvault.paloaltonetworks.com/Home/VirusDetail/2889719</A></P></BODY></HTML> Wed, 02 Jul 2014 11:46:27 GMT https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12502#M9151 ericgearhart 2014-07-02T11:46:27Z https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12503#M9152 <HTML><HEAD></HEAD><BODY><P>Interestingly enough if you click on the hash links, PA's own WildFire flags it as benign! Hmph. :smileyplain:</P></BODY></HTML> Wed, 02 Jul 2014 11:47:49 GMT https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12503#M9152 ericgearhart 2014-07-02T11:47:49Z https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12504#M9153 <HTML><HEAD></HEAD><BODY><P>I guess that is just a one way conversation, wildfire pushes signatures to threats but not back the other way.</P><P></P><P>They did just add this because I checked before posting this morning earlier and it wasn't there yet.</P></BODY></HTML> Wed, 02 Jul 2014 11:51:26 GMT https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12504#M9153 pulukas 2014-07-02T11:51:26Z https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12505#M9154 <HTML><HEAD></HEAD><BODY><P>We uploaded a sample of havex to Wildfire ca June 20th - problem is they don't check it on Acrobat reader 10.x....<BR />PAN also need to update their Virtual machines...</P></BODY></HTML> Wed, 02 Jul 2014 11:54:21 GMT https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12505#M9154 pivvre 2014-07-02T11:54:21Z https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12506#M9155 <HTML><HEAD></HEAD><BODY><P>Hello All,</P><P></P><P>We have coverage for Havex malware.</P><P>Please upgrade to latest Anti virus version released today.</P><P></P><P>Regards,</P><P>Hari Yadavalli</P></BODY></HTML> Wed, 02 Jul 2014 15:05:18 GMT https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12506#M9155 hyadavalli 2014-07-02T15:05:18Z https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12507#M9156 <HTML><HEAD></HEAD><BODY><P>Does WildFire flag a sample as malicious yet :smileylaugh:</P></BODY></HTML> Wed, 02 Jul 2014 15:25:00 GMT https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12507#M9156 ericgearhart 2014-07-02T15:25:00Z https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12508#M9157 <HTML><HEAD></HEAD><BODY><P>Based on the SHA provided in initial comment I see wildfire reported as malicious</P></BODY></HTML> Wed, 02 Jul 2014 15:49:28 GMT https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12508#M9157 hyadavalli 2014-07-02T15:49:28Z https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12509#M9158 <HTML><HEAD></HEAD><BODY><P><IMG alt="benign.png" class="image-0 jive-image" height="711" src="https://live.paloaltonetworks.com/legacyfs/online/14239_benign.png" style="height: 711px; width: 1044.6px;" width="1045" /></P></BODY></HTML> Wed, 02 Jul 2014 16:04:42 GMT https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12509#M9158 ericgearhart 2014-07-02T16:04:42Z https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12510#M9159 <HTML><HEAD></HEAD><BODY><P>I only see one SHA reported as malware and rest as benign.</P><P>Please open a case with palo alto support and they'll address the issue with wildfire.</P></BODY></HTML> Wed, 02 Jul 2014 16:54:55 GMT https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12510#M9159 hyadavalli 2014-07-02T16:54:55Z https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12511#M9160 <HTML><HEAD></HEAD><BODY><P>I don't have a sample of the malware, I'm just "stirring the pot" to be honest</P></BODY></HTML> Wed, 02 Jul 2014 16:56:57 GMT https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12511#M9160 ericgearhart 2014-07-02T16:56:57Z https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12512#M9161 <HTML><HEAD></HEAD><BODY><P>Interesting info in Brightclouds Webinar on Dragonfly/havex right now,</P><P>I asked if there has been any information exchange between Symantec (which has a lot of information - and protect users - on Dragonfly/havex) and Paloalto. They said the did info ex with a lot of company, but not PAN - why not?</P></BODY></HTML> Thu, 03 Jul 2014 09:42:31 GMT https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12512#M9161 pivvre 2014-07-03T09:42:31Z https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12513#M9162 <HTML><HEAD></HEAD><BODY><P><SPAN class="j-post-author"><A _jive_internal="true" class="jiveTT-hover-user jive-username-link" data-avatarid="1643" data-externalid="" data-presence="null" data-userid="16909" data-username="hyadavalli" href="https://live.paloaltonetworks.com/people/hyadavalli">hyadavalli,</A></SPAN></P><P><SPAN class="j-post-author"><BR /></SPAN></P><P><SPAN class="j-post-author">Based on your responses here, I assume you work for PA.&nbsp; Can you explain what happens with new signatures like this against the existing file database that was deemed benign?</SPAN></P><P><SPAN class="j-post-author"><BR /></SPAN></P><P><SPAN class="j-post-author"> Some of these "benign" files will be previously unknown viruses like Havex.&nbsp; Does Wildfire check them again against new signatures?</SPAN></P><P><SPAN class="j-post-author">If a previously flagged benign file is uploaded again, is this automatically benign from the previous verdict?</SPAN></P><P><SPAN class="j-post-author">In short, how does PA clean up the hash database to be sure the new viruses are successfully identified?<BR /></SPAN></P></BODY></HTML> Fri, 04 Jul 2014 10:44:18 GMT https://live.paloaltonetworks.com/t5/general-topics/havex-malware/m-p/12513#M9162 pulukas 2014-07-04T10:44:18Z