How to Find Virus Details if Not Available in the Threat Vault

by kkondo on ‎06-27-2013 08:52 PM (7,875 Views)

Issue

Threat details can be found in the Palo Alto Networks Threat Vault at https://threatvault.paloaltonetworks.com/. In some cases, however, the information for a detected virus on the Palo Alto Networks firewall is not available in the Threat Vault. For example, the firewall detected the virus,  "JS/Trojan.blacoleref.w (threat id# is 253849)":

> show threat id 253849

This signature detected JS/Trojan.blacoleref.w

medium

virus

A search in the Threat Vault does not return information on "JS/Trojan.blacoleref.w (threat id# is 253849)":

TV.png

Resolution

Follow the steps below to find the details of the virus:

  1. Open a case with Palo Alto Networks Support and request the MD5 information for the detected virus. The following is an example of the MD5 value for "JS/Trojan.blacoleref.w":
    MD5: 2695576276bca0c699c865599436efeb
  2. Visit the Virus Total site : https://www.virustotal.com/en
    VTotal.png
  3. Click "search".
  4. Enter the MD5 value and click "Search it!"
    VTotal2.png
  5. The resulting virus name lists from searched virus engines are displayed.
    VTotal3.png
  6. For this example, the search results will show that Microsoft detected this as Trojan:JS/BlacoleRef.CM.
    VTotal4.png
    You can find the virus detail from Microsoft site.
    http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan%3AJS%2FBlacoleRe...

owner: kkondo

Comments
by kkondo
on ‎07-02-2013 05:29 PM

Yes, this should be valid KB, this is just sample how to find the virus detail by MD5 which can be obtained from open the case to our support. Each virus vender set unique name for the same virus. Most of the case, you cannot find the virus detail in other vender by googling the name which detected on our PAN. Even though find something, customer is not sure if it is identical or not.

Even though following virus name is simple one and name is similar, it is hard to day that these are same.

   

AntiVir JS/Agent.axquo
Avast   JS:Agent-AXQ [Trj]
AVG     HTML/Framer

BitDefender JS:Trojan.Script.AKF

Comodo  TrojWare.JS.Agent.AXQ
F-SecureJS:Trojan.Script.AKF
FortinetJS/Blacole.HT!exploit
Ikarus  Exploit.JS.Blacole

Normal customer does now know how to get MD5 for the virus and find the way for it, Japan distributors often open the case for requesting MD5 info if they cannot find enough info on Threat Volt.

Ignite 2018, Amsterdam, Netherlands
Ask Questions Get Answers Join the Live Community
Contributors