Palo Alto Threat Vault AntiVirus Signatures

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Palo Alto Threat Vault AntiVirus Signatures

L0 Member

Hi Community!

 

I wanted to better understand how Palo Alto ties it's detections with its Unique Threat ID to the Wildfire Virus Detections. 

 

For example, we have been receiving a steady amount of alerting for a Virus File and Palo Alto gives us the file name. If I search for the Unique Threat ID, I can see SHA-256's that Palo ties to it. 

 

So my question is, are Palo Alto Virus Detections tied to a file name or can it actually pick up SHA-256's in network connections. Is the association made through the Unique Threat ID accurate? Or can it lead to false positives because it's only detecting based on file name?

 

Thank you in advance!

1 REPLY 1

L5 Sessionator

Palo Alto Networks' virus detection is not based on the file name nor the SHA-256 hash value. The Antivirus signature is based on a byte pattern that is generated from the malicious sample analyzed by WildFire. On Threat Vault, you see the SHA-256 hashes of the associated malware samples.

 

Reference:
https://live.paloaltonetworks.com/t5/pancast-episodes/pancast-episode-20-threat-logs-av/ta-p/546632

 

  • 777 Views
  • 1 replies
  • 0 Likes
  • 77 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!