How to Submit an Anti-Virus False Positive

by rcole on ‎03-15-2016 09:41 PM - edited on ‎07-09-2016 02:58 AM by (19,762 Views)

When submitting a virus false positive report, preemptively gathering data to attach to the case will result in a quicker turnaround time.

 

Collecting a full sample to submit is useful for analysis, as it is fully possible an antivirus signature can trigger for a similarly structured sample as the one that it was initially generated to prevent against; this is to help protect against polymorphic malware.

 

In order to capture the full file, it is required to determine where it is coming from.

Consider a few questions when attempting to capture the file:

  • What protocol is it being transferred over?
  • If HTTP, is it being hosted at a URL that one can access (Check the detailed log view for the signature trigger)? Giving us the URL if it is publicly accessible can help.
  • Is it being sent from a specific source/to a specific destination that one can set up *FULL* packet filter/captures on in order to wait for it to reproduce? (Reference: https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Packet-Capture/ta-p/72069)  

Steps

  1. Collect the output of "show system info" from the CLI of your firewall, or copy the "General Information" pane from the Dashboard of your WebGUI. Put this in the case.
  2. Collect a copy of the file triggering an AV signature. Place the file into a password protected ZIP file (password protecting the ZIP file is to ensure the attachment will not be stripped by any host or network based security devices when it is uploaded to the associated support case.) Make sure that when the file is placed in the case, the password to unzip it is placed there too, or support will be unable to extract the file from the ZIP.
  3. Collect a SHA256/MD5 hash of the offending file. A hash will allow support to ensure the integrity of the file was not impacted during transfer. Place this in the case.
  4. Please provide a screenshot/text output of the triggered threat alert or atleast the threat ID and threat Name from the Threat Logs (Monitor > Threat). Clicking the magnifying glass icon will give you more detail (#1 in the pic below), For example, Threat ID 2000002 | Net-Worm/Win32.Conficker.cr. 
    2016-06-10_virus1.pngThreat Log - Virus detail. Please record or get a screenshot of this information.
  5. Provide context on why it is believed that the file is a false positive. Some examples might include:
    - External reputational sources (Like VirusTotal)
    - The file's origins being within your network (created by a developer internally)
    - The file is signed by a trusted party
    - The file was analyzed internally before being reported

After all of this data has been gathered and placed in the support case, the sample can be analyzed and a verdict can be reached.

Comments
by LHAM001
on ‎01-03-2018 12:10 AM

To whom it may concern,

This is an urgent problem. Palo Alto Networks was found incorrectly in our installation file "setup.exe" with the file Win7-64.exe and it alarms for " generic.ml" this is a false positive. We hope you can analyze and remove this false positive as soon as possible.

Virus Total: https://www.virustotal.com/#/file/b7b08e3e511008792465d6d352e5ddc82c1f74d5a45bad89119aedcf908ca709/d...

SHA-256:  b7b08e3e511008792465d6d352e5ddc82c1f74d5a45bad89119aedcf908ca709

Win7-64.exe

Hope to get a response solution ASAP.

by Jan_Linhart
on ‎01-07-2018 01:14 PM

LHAM001, do not expect solution at discussion page and open TAC case.

Ignite 2018, Amsterdam, Netherlands
Ask Questions Get Answers Join the Live Community