Someone shared a link with me to a new startup company and I found it had been blocked and listed as malware by a PAN FW -- I am curious if there is a way to determine exactly what occurred that made that site categorized as malware -- and how I can lookup other URL's reason for categorization -- if available.
Are you using Bright cloud or Pan db for URL categorization?
ou can manually verify the category of any URL by entering it on the following web page:
If you do not agree with the categorization of an individual URL/website you can submit a recategorization request on this page:
You can also clear the Url cache using below command
>clear url-cache url www.xyz.com
Also please check the below document for your reference.
Thanks, I am specifically looking for the reason why a URL was chosen to be categorized as malware -- for example xyz.com is malware because software hosted on site was found to be distributing malware for command and control or Cryptolocker...
I dont think we can provide data on the classification history or how classification happens on the back-end.
If a website was mis-categorized and the best way to find out is look at what other vendors say about it.
You can go to www.virustotal.com and find out what vendors like Kaspersky. Fortinet , BitDefender etc say about the website.
If a majority of vendors classify the website as benign but PAN-DB does not , that means we mis-categorized it. At that point you could submit a request.
To add some color to rsriramoju's statement, we don't supply specific details most of the time because that is part of our detection algorithm.
Generally speaking, a domain is categorized as malware when there are malicious files hosted at the domain, a piece of malware makes calls to that domain, or similar actions.
More times than not I've seen a malicious file hosted on a compromised server on the domain. It could be a legitimate domain, but due to some unpatched (or zero-day) vulnerability, a malicious actor has planted malware on a directory reachable publicly. Incidentally, it's also why reputation-based systems can fail to protect you.
If you own the domain and have a Palo Alto Networks support contract, you can open a support ticket to uncover more specifics.
If you go to www.virustotal.com you can look up a url and it will have a date saying when it was last scanned and its rating against AV clients. This does not give you the reasons for its categorization nor is it inline with PA's categorization but sometimes can be beneficial when trying to understand a timeline.
Thanks, everything in virus total said it was clean --> www.neucoin.org.
however PAN marks as Malware -- I have personal no evidence supporting it being malware or clean which is why I wanted to see reasoning from PAN.
is there a way to follow up with PAN to determine reasoning? I do not want to submit a re categorization because I do not know that it is clean.
Yes it must have just changed within past day or two as my logs in PA show it as Malware on 05-04-2015 at 11:37 est.
however, I'm still curious as to why it was listed as malware for a brief period of time :-)
The web site could have been hosting malware (thus being categorized as malware). If the site administrator was informed and then removed the malware and patched their server to prevent further malware being placed on the server. The site then get a re-categorization request and since the malware is not there anymore it gets classified as it normally should be. This is how I expect it works. Hope this helps.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!