Malicious flash/swf with zws compression detected only with PAN-OS 7.1+
Symptom
Why are some antivirus/wildfire signatures for malicious flash/swf only detected with firewall running PAN-OS 7.1 or later? Earlier PAN-OS firewalls do not detect the same file even though the correct antvirus/wildfire content is installed and the appropriate antivirus profile is configured.
Environment
- NGFW
- PAN-OS
Cause
Some malicious SWF flash files use LZMA compression (ZWS). Firewalls must be running PAN-OS 7.1 or later to support inspection and protection against this type of SWF file.
Resolution
To check which antivirus signature is the malicious SWF ZWS file:
- In PAN-OS 7.1, threat ID is between 6,000,000 - 6,000,500 or 6,200,000 - 6,200,500
- In PAN-OS 8.0 or later, first check the signature file hash from https://threatvault.paloaltonetworks.com (a valid support login account is required) by searching either threat name or unique threat ID. Then do a second search with signature file hash and note the file type, whether it is SWF ZWS.