What is an Antivirus Signature Collision in the case of a False Positive, and how can we deal with it?

In order to understand it a little better, here is some background information:

Where do Antivirus signatures come from?

• The Antivirus database contains any and all WildFire signatures that were created in the previous 24 hours. WildFire signatures are collected at the close of business hours every day, packed into a single database, and tested to ensure they are installable on all of our platforms. In short, the Antivirus package is a collection of the last 24 hours of Wildfire packages for which we performed checks before we distributed it.

What are Antivirus signatures?

• Antivirus signatures used by Palo Alto Networks software are a combination of bytes that are overlaid on the file while it is traversing the firewall. If those bytes match with the order of bytes in the mentioned file, then the action preset in the AntiVirus protection profiles is triggered.
• As seen in the picture below, there are two types of actions within the Antivirus tab: Action and WildFire Action; the former is used to determine the firewall's action if a signature is matched from the AntiVirus database, and the latter, WildFire Action, is used to determine what the firewall's action will be in the case a signature is matched from the WildFire database,

• An Antivirus signature, in practice, is a static string representing a collection of bytes selected from a malicious file. The selection of bytes depends on a file type; signatures for PE (portable executable) are not the same as signatures used for PDF or MS Office file types. We call this a static selection because bytes are usually taken from the same position (same offset) for the same file type.
• There are obvious reasons for selecting particular bytes for signatures, such as making sure that no bytes common to all files are included in the signature - in that case, all files would always trigger our signatures. Besides that, the choice of particular bytes is done so that polymorphic malware samples can be caught with a single signature. So, if a particular malware automatically changes portions of the file it uses, our signature would still catch it.

What are collisions?

• As mentioned, a signature is a static string representing a collection of bytes selected from a malicious file. Sometimes, this selection can overlap with the order of bytes in a benign file. That is what we call a signature collision. Actually, there are few occurrences; the percentages are minimal considering how many files we see daily and how many signatures we publish on a daily/monthly/yearly basis. They still happen, unfortunately.

How are collisions different from false positives(FP)?

• Collisions are false positives, but false positives can have different causes.
• False positives can be caused by Signature Collisions or by Incorrect WildFire Verdicts.
• In the case of FP by Incorrect WildFire Verdicts, a Benign file was given an incorrect Malware verdict. An antivirus signature is produced, which ultimately blocks the Benign file.
• In the case of FP by Signature Collisions, a Benign file was given the correct Benign verdict, but its patterns coincide with the signature previously created for an unrelated Malware sample.

How can I identify if my False Positive is due to a Signature Collision or an Incorrect WildFire Verdict?

• The best solution is to enable Benign and Grayware WildFire reporting.
• This way, the Antivirus threat log entry will be correlated with a WildFire Submission Log.
• If the Antivirus block is correlated with a WildFire Submission Log indicating that the sample is Benign, then the FP is caused by a Signature Collision. For resolution, placing an Antivirus Exception is advised.
• If the Antivirus block is correlated with a WildFire Submission Log indicating that the sample is Malware, then the FP is caused by an Incorrect WildFire Verdict. For resolution, reporting the Incorrect WildFire Verdict is advised.
   

How do you deal with collisions?

• For some file types, we can expand signatures to have better precision in overlaying the bytes of the signature; this can often resolve collisions. When this is not possible, we make an educated decision based on the occurrences of the malware traversing networks/firewalls that report to AutoFocus. If we have not seen that malware recently or lately, we will disable the signature in favor of the benign file for which the signature was triggered. This is an engineering decision; we are weighing the benefit to the end users - if the malware was not seen recently, and the benign file is required for business continuity, we would disable the signature in favor of the benign file.
• When we say business continuity,  that is not a strict line we draw here, but we evaluate it on a per-case basis -- some business files exchanged do qualify as justified for business continuity. On the other hand, if the colliding file is, for example, some flash-based video game, we might keep our signature despite its having a collision on the benign file. Also, if malware whose signature we disabled should become active again, it is possible and probable we would re-enable the signature regardless of the collision.

• One more important thing to note: While done on rare occasions, both disabling and enabling the signature are done on a per-case basis, where our senior engineers evaluate business importance and scope and degree of interruption to the end user, comparing it to the potential risks of deleting a signature. Such decisions are not wrought lightly and are done with the best interest of ALL our users in mind.