01-26-2015 07:39 AM
Our 3020 PA got updated with new AV definition this morning. Since then it is marking all Flash as Virus/Win32.generic and dropping it for all users. But we are not getting any complains from end users. We tried some sites with flash content and had no problem playing flash video. It appears the firewall is not really denying it, but logs it as denied. Has anybody see this behavior and are you doing about it? It is filling up my SIEM and generating false alerts.
thank you
01-26-2015 07:57 AM
Hi Awarsame,
If "deny" is seen in threat log, it means firewall is blocking something. Does it happens with all flash files ?
If know its happening with which flash file, I would suggest to open a TAC case for "False Positive" check.
Regards,
Hardik Shah
01-26-2015 11:16 AM
Hi,
I have seen a lot of Flash advertisements being flagged as viruses since last week, but blocking those advertisements will not prevent your users from visiting otherwise regular websites. That is the reason why nobody complained.
Regards,
Benjamin Audy
01-26-2015 01:15 PM
I am seeing this too.
We currently have a CPU usage of 44% and a dataplane usage at 66%.
This has been on the logs for the last hr. I called support and opened a ticket, but the agent said we weren't being hacked, and that it was due to a high level of traffic.
Last hour traffic is web-browsing and flash. Both are high.
01-26-2015 03:09 PM
We're having the EXACT same problem. it's possible that the 1944 update will fix this issue. Please be sure to update your PAN
01-26-2015 04:34 PM
I am seeing the same traffic here as well. However I coorelated it to the URL logs and it seems to be for advertisements. With the recent Flash vulnerability out there, it wouldnt surprise me that these are 'drive by' downloads trying to happen. If the users are not complaining, its all good in my world.
01-26-2015 04:51 PM
Hello Awaresame,
Could you please let us know the AV release version currently installed on your PAN firewall. You may share the CLI output of >show system info.
There is a BUG open for a similar issue and it has been resolved in av release 1471.
Hope this helps.
Thanks
01-27-2015 01:50 AM
Hi,
I can confirm this. With R1470 we've seen thousands of logged virus threats with one day on our new PA 3050. Today with R1471 everything is fine again.
For us as brand new customer this was quite suprising :smileyconfused:
Best regards
Thomas
01-28-2015 09:19 AM
We're seeing a lot of Flash stuff logged but nothing like "everything" so how sure is anyone that these really are false positives vs. true malware?
I really do wish the Palo Alto could log the URL as part of threat log and email report.
01-28-2015 10:36 AM
resolved here Re: Re: Suspicious DNS Query ad nauseam
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
