Malicious flash/swf with zws compression detected only with PAN-OS 7.1+

Malicious flash/swf with zws compression detected only with PAN-OS 7.1+

10193
Created On 09/25/18 19:30 PM - Last Modified 06/07/23 20:22 PM


Symptom


Why are some antivirus/wildfire signatures for malicious flash/swf only detected with firewall running PAN-OS 7.1 or later? Earlier PAN-OS firewalls do not detect the same file even though the correct antvirus/wildfire content is installed and the appropriate antivirus profile is configured.

 

Environment


  • NGFW
  • PAN-OS

Cause


Some malicious SWF flash files use LZMA compression (ZWS).  Firewalls must be running PAN-OS 7.1 or later to support inspection and protection against this type of SWF file.

 

https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os-release-notes/pan-os-7-1-release-information/content-inspection-features 

Resolution


To check which antivirus signature is the malicious SWF ZWS file:

 

- In PAN-OS 7.1, threat ID is between 6,000,000 - 6,000,500 or 6,200,000 - 6,200,500 

- In PAN-OS 8.0 or later, first check the signature file hash from https://threatvault.paloaltonetworks.com (a valid support login account is required) by searching either threat name or unique threat ID. Then do a second search with signature file hash and note the file type, whether it is SWF ZWS.

 

PAN_Threat_Vault.png

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClZTCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language