Antivirus-1470-1943

Reply
L1 Bithead

Antivirus-1470-1943

Our 3020 PA got updated with new AV definition this morning. Since then it is marking all Flash as Virus/Win32.generic and dropping it for all users. But we are not getting any complains from end users. We tried some sites with flash content and had no problem playing flash video.  It appears the firewall is not really denying it, but logs it as denied.   Has anybody see this behavior and are you doing about it?   It is filling up my SIEM and generating false alerts.

thank you

L6 Presenter

Re: Antivirus-1470-1943

Hi Awarsame,

If "deny" is seen in threat log, it means firewall is blocking something. Does it happens with all flash files ?

If know its happening with which flash file, I would suggest to open a TAC case for "False Positive" check.

Regards,

Hardik Shah

L4 Transporter

Re: Antivirus-1470-1943

Hi,

I have seen a lot of Flash advertisements being flagged as viruses since last week, but blocking those advertisements will not prevent your users from visiting otherwise regular websites. That is the reason why nobody complained.

Regards,

Benjamin Audy

L3 Networker

Re: Antivirus-1470-1943

I am seeing this too.

We currently have a CPU usage of 44% and a dataplane usage at 66%.

virus.JPG

This has been on the logs for the last hr.  I called support and opened a ticket, but the agent said we weren't being hacked, and that it was due to a high level of traffic.

Capture.JPG

Last hour traffic is web-browsing and flash.  Both are high.

Not applicable

Re: Antivirus-1470-1943

We're having the EXACT same problem.   it's possible that the 1944 update will fix this issue.  Please be sure to update your PAN

L3 Networker

Re: Antivirus-1470-1943

I am seeing the same traffic here as well. However I coorelated it to the URL logs and it seems to be for advertisements. With the recent Flash vulnerability out there, it wouldnt surprise me that these are 'drive by' downloads trying to happen. If the users are not complaining, its all good in my world.

L7 Applicator

Re: Antivirus-1470-1943

Hello Awaresame,

Could you please let us know the AV release version currently installed on your PAN firewall. You may share the CLI output of >show system info.

There is a BUG open for a similar issue and it has been resolved in av release 1471.

Hope this helps.

Thanks

Highlighted
Not applicable

Re: Antivirus-1470-1943

Hi,

I can confirm this. With R1470 we've seen thousands of logged virus threats with one day on our new PA 3050. Today with R1471 everything is fine again.

For us as brand new customer this was quite suprising :smileyconfused:

Best regards

Thomas

L4 Transporter

Re: Antivirus-1470-1943

We're seeing a lot of Flash stuff logged but nothing like "everything" so how sure is anyone that these really are false positives vs. true malware?

I really do wish the Palo Alto could log the URL as part of threat log and email report.

L3 Networker

Re: Antivirus-1470-1943

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!