General Topics

Resolved! How do I identify which PC made a suspicious DNS query?

Hello I have setup the Anti-Spyware Profile in our firewall and I have a lot of threat logs of type spyware suspicious DNS queries from a domain controller machine and this is cleansed. Monitor > Logs > Threat list As you can see I have configured the sinkhole method. But I woluld like to know how could I identify which PC are making t...

FalsePositive on Silverlight.exe (Virus/Win32.slugin.ozi ID: 2044771)

Hello Community! I wonder if anyone else is getting a FalsPositive-Hit in AntiVirus-Protection on downloading Silverlight.exe? When we use the following Link: http://go.microsoft.com/fwlink/?LinkID=623682 the page is blocked do to AntiVirus-Profile. In our ThreatLog we can see that the file Silverlight.exe is beeing blocked because it is ide...

Resolved! AWS Servers trigger Vulnerability

We are seeing a high number of HTTP Non RFC-Compliant Response Found Signature ID : 32880 CVE-2010-2561 All are logged from aws servers, evenly distributed across a large number of servers - 173 in one hour, each with 300-500 hits. I have packet captured the vulnerability and it is logging a seemingly innocuous XML file. I suspect this is ...

Custom Vulnerability Signature. Is this limitation correct or is a fail?

Hello I've been trying to create a custom vulnerability and I have encountered this limitation:Currently in Threat Database Vault 529 version there are 50 signatures for PHP. I'm trying to add all PHP signatures and this message appears when it exceeds 17 signatures. 😞Is this limitation correct or is a fail? 😞 A few days ago we suffer multipl...

I want to know some details about a specific threat signature.

Hello everyone I have this threat signature.: "NUCLEAR Exploit Detection Kit (38268)" , and I'm researching on what date was it created?I need to know which version of the threats database was included and released this signature? I would greatly appreciate any help. Regards, dicu

Resolved! Zone Protection exception

Hello,We’ve a problem with one of our customer.Probably due to a carrier router misconfiguration, packets coming from - and only - a specific IP source are matched as fragmented by PA. As consequence, due to a Zone Protection and Fragmented Traffic profile applied to that zone, some kind of traffic that comes from that IP is discarded (for examp...

How to get a list of all vulnerabilities of Threat Vault?

HelloDoes anyone know if it is possible get a list of all vulnerabilities Threat Vault?https://threatvault.paloaltonetworks.com/#I would like to get a list of all vulnerabilities and classify not only by severity.Thanks,dicu

Resolved! How to Configure Action for 'automatic blocking an IP for an hour' in a vulnerability scanning?

Hello,This would be possible to implement?Configure my firewall to make a action for 'automatic blocking an IP for an hour' in a vulnerability scanning.Objects -> Custom Objects -> VulnerabilityExample: IP auto-block attacker for 1 hour, if 10 times in 10 seconds Any Scan Vulnerability Bash.I want "OR" condition. Here. addition to "IP add...

Question about threat logs - Type wildfire-virus

Hi all, just wondering why I see in our threat logs entries with the type wildfire-virus only for the application smtp... (I would like to post some screenshots, but I cant find the upload button?) What is the type wildfire-virus standing for? And where can I enable it for other applications as well?