Custom Antivirus Signatures

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Custom Antivirus Signatures

L4 Transporter

Is it possible to create custom antivirus signatures?

Goal is to block files with certain hashes. The original file is not available, only the hash.

Is there any way to submit hashes to PANW so that they create signatures? (Something similar like for URLs)

4 REPLIES 4

L3 Networker

If you can send us the hash we can look to try and find the file somewhere else and make a signature if the file is malicious, but we do not do hash based blocks. 

Hello tboire,

 

many thanks for your reply. It is regarding a recent ransomware campaign, e.g.

 

hash:

0f6ae637a9d15503a0af42be649388f01f8637ca16b15526e318a94b7f34bf6e

 

Cannot find in PA Threatvault, but Virustotal shows many vendors classify it as malware.

 

hash:

39256f126bba17770310c2115586b9f22b858cf15c43ab36bd7cfb18ad63a0c2

 

Is found in PA Threatvault as malware, but there seems to be no signature (nothing shown regarding which wildfire content update contains a signature to block it).

 

So the only method would be to get hold of a sample file and upload to Wildfire portal in order to trigger analysis by PA and possibly signature creation?

 

L0 Member

can you check these hashs 

 

New Hashes

e5bf756d5530ec38ff649b901b3c7506f8556821d979bdcb392237f2ff40daf8
5257f623270b4c5cc471ff35b1bfeec80ab37c7e012da76b50ebd2c4911a43d0
c3ab58b3154e5f5101ba74fccfd27a9ab445e41262cdf47e8cc3be7416a5904f
0694bdf9f08e4f4a09d13b7b5a68c0148ceb3fcc79442f4db2aa19dd23681afe


Old Hashes

5203628a89e0a7d9f27757b347118250f5aa6d0685d156e375b6945c8c05eb8a
0266be9130bdf20976fc5490f9191edaafdae09ebe45e74cd97792412454bf0d
d9e52663715902e9ec51a7dd2fea5241c9714976e9541c02df66d1a42a3a7d2a 
35ceb84403efa728950d2cc8acb571c61d3a90decaf8b1f2979eaf13811c146b
0975eb436fb4adb9077c8e99ea6d34746807bc83a228b17d321d14dfbbe80b03
391e7b90bf3f0bfeb2c2602cc65aa6be4dd1c01374b89c4a48425f2d22fe231c
6985ef5809d0789eeff623cd2436534b818fd2843f09fa2de2b4a6e2c0e1a879
ccb1209122085bed5bded3f923835a65d3cc1071f7e4ad52bc5cf42057dd2150
dab3308ab60d0d8acb3611bf364e81b63cfb6b4c1783864ebc515297e2297589
bc4513e1ea20e11d00cfc6ce899836e4f18e4b5f5beee52e0ea9942adb78fc70

 


@Anon1 wrote:

Is it possible to create custom antivirus signatures?

Goal is to block files with certain hashes. The original file is not available, only the hash.

Is there any way to submit hashes to PANW so that they create signatures? (Something similar like for URLs)


 

If you had AutoFocus, you can check these hashes to see how we classify them, IOCs related to the file (if malicious), when it was first seen, and if there is any relevance to threat actors, malware campaigns, etc.  As a previous posted noted, Palo doesn't do signatures based on hash, as hashes are more unique than the malware itself and it would be inefficient to create hundreds/thousands or more of signatures for different hashes, especially if the underlying malware or virus is the same.  Palo cares more about  the underlying malicious file and its underlying activity.

  • 13580 Views
  • 4 replies
  • 3 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!