Our 3020 PA got updated with new AV definition this morning. Since then it is marking all Flash as Virus/Win32.generic and dropping it for all users. But we are not getting any complains from end users. We tried some sites with flash content and had no problem playing flash video. It appears the firewall is not really denying it, but logs it as denied. Has anybody see this behavior and are you doing about it? It is filling up my SIEM and generating false alerts.
If "deny" is seen in threat log, it means firewall is blocking something. Does it happens with all flash files ?
If know its happening with which flash file, I would suggest to open a TAC case for "False Positive" check.
I have seen a lot of Flash advertisements being flagged as viruses since last week, but blocking those advertisements will not prevent your users from visiting otherwise regular websites. That is the reason why nobody complained.
I am seeing this too.
We currently have a CPU usage of 44% and a dataplane usage at 66%.
This has been on the logs for the last hr. I called support and opened a ticket, but the agent said we weren't being hacked, and that it was due to a high level of traffic.
Last hour traffic is web-browsing and flash. Both are high.
I am seeing the same traffic here as well. However I coorelated it to the URL logs and it seems to be for advertisements. With the recent Flash vulnerability out there, it wouldnt surprise me that these are 'drive by' downloads trying to happen. If the users are not complaining, its all good in my world.
Could you please let us know the AV release version currently installed on your PAN firewall. You may share the CLI output of >show system info.
There is a BUG open for a similar issue and it has been resolved in av release 1471.
Hope this helps.
I can confirm this. With R1470 we've seen thousands of logged virus threats with one day on our new PA 3050. Today with R1471 everything is fine again.
For us as brand new customer this was quite suprising :smileyconfused:
We're seeing a lot of Flash stuff logged but nothing like "everything" so how sure is anyone that these really are false positives vs. true malware?
I really do wish the Palo Alto could log the URL as part of threat log and email report.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!