Advanced Threat Prevention Discussions

Welcome to the Threat & Vulnerability Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

Threat 109020001 detection, dropping LAN traffic after 10.0.0 upgrade

After upgrading from v9.1.3 to v10.0.0, I'm seeing detections for 109020001 (newly registered domain) for traffic to/from addresses in a private class C subnet. It's also taking a drop action. I can't find the signature in vulnerability profiles to make an exception or change the action. Has anyone else seen this or know where to find it so I ...

Resolved! Virus/Win32.WGeneric.akzslp - ffmpeg.dll

Hi,Since 2020-07-20 I have been getting Virus alerts in the Threat log on my PAN. It has pointed out that ffmpeg.dll is the culprit. I pivoted a search by <<Virus/Win32.WGeneric[.]akzslp>> on THREAT VAULT: I found the hash "ea3e32a18d5d2c3dfcf9ff8238f1f82a"I performed a reputation check on Virus Total by the hash value found on Threa...

Block VPN for School Students

Good afternoon I'm hoping someone might have an answer for me. I'm trying to see if there is a way to block any traffic coming from a Student IPad or Laptop when they try and use a VPN Client or more so a VPN Add-On in Firefox or Chrome. I'm hoping there is a way on the firewall that it can detect that the client is using some type of VPN and i...

Resolved! Exception for DNS signature which is showing the ID as 0 and FQDN as unknow

Getting false positive for the Link tivoli.com.qa as threat name(68360795).Its getting DNS sinkholing.Can anyone help to know how we give the exception only for the threat ID 68360795 and the Fqdn is tivoli.com.qa. Attached screenshots below

Resolved! Ripple20 Vulnerability Group

Hi thereAbout 14 days ago a group of new 19 vulnerabilities were published under the name of "ripple20" by JSOF (https://www.jsof-tech.com/ripple20/). So far I could not find any information about in the community (which I find very strange... Maybe I missed something?). The two central questions for me concerning this topic are:1. Are any Palo ...

Resolved! Digium Asterisk WebSocket Frame Empty Payload Denial-of-Service Vulnerabi

How do I report or provide feedback regarding the Cortex Alert named "Digium Asterisk WebSocket Frame Empty Payload Denial-of-Service Vulnerability" that are being generated by the PAN NGFW, with the Initiator CMD of:"C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12827.20182.0_x64__8wekyb3d8bbwe\onenoteim.exe" -ServerName:microsoft...

find IoC already in Minemeld

I have a miner set up in Minemeld, to which I can add IP addresses for blocking. I would like to find out if our Minemeld, or PA NGFW, is already blocking an IP address. How can I do that? Thanks

Resolved! Virus/Win32.WGeneric.ajdriy - OneDriveSetup.exe

Hi, Since yesterday April 13/2020 I have been getting Virus alerts in the Threat log on my PAN 3020. It has pointed out that OneDriveSetup.exe is the culprit. I went to a few machines and searched for OneDriveSetup.exe and uploaded it to VirusTotal. All came back clean. I then ran a malware scan (Cortex) on a few machines and again it came back ...

Is this false positive

office365-enterprise-access app getting dropped.

Resolved! Virus/Win32.WGeneric.aktpum - OneDriveSetup.exe detected via an Antivirus

Hello, Are seeing the following in Cortex XDR 'Threat ID #348815361' generated by PAN NGFW detected on host 10.x.x.x involving user ZZZZ\first.last Threat ID: 2418537Current Release: 3394 (2020-06-28 UTC)First Release: 3394 (2020-06-28 UTC)SHA256: 1d279269b17d9282b061be59ba23a0fadecae6e44e12ea4054d4637ae736d748 Unfortunately it seems that its...

Security profile testing

I am currently building out more granular policies that have application groups applied as well as security profiles for AV, malware, vulnerability and URL filtering. I will be applying these to a test firewall and would like to build out a test plan to ensure they are working as expected.I just wanted to run this by the community to see if perh...

Resolved! URL Filtering

http://shodan.io/ URL is categorized as hacking website.Can someone advise as internal users want access to it?

Resolved! We have enabled ssl inbound decryption and able to exploit the vulnerabilty

We have ssl inbound decryption configured and from outside we are able to exploit the vulnerabilty.Need to know why PA allows the connection for that signature. Vul threat id is 57230 Name Telerik Web UI

Resolved! Spyware with DNS Protection

Hi All,Our Firewall drop DNS traffic of C&C ( us.jaxonsorensen.club, news.sqllitlerver.info & log.osloger.biz) with source IP Address of Firewall. This issue after update the Threat 28/05/2020. Will appreciate any help/suggestions. Best regards,Khai

Resolved! Microsoft Directory Services/ms-ds-smbv3 - Virus/Win32.WGeneric.yurld

We are see numerous alarms from our SIEM from our Palo Alto firewall. Here is a copy of a scrubbed log message below. When asking the user about their activity, they only RDP'ed into various servers from their laptop via the Globalprotect VPN for remote admin work and ran a batch file that re-maps drives. Additionally they noted browsing to \\&l...

Discussions

Welcome to the Threat & Vulnerability Discussions!

Threat 109020001 detection, dropping LAN traffic after 10.0.0 upgrade

Resolved! Virus/Win32.WGeneric.akzslp - ffmpeg.dll

Block VPN for School Students