Eicar and Palo Alto threat-db

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Eicar and Palo Alto threat-db

L6 Presenter

First a question:

Where and how can I see what is the default action for a particular threat, vuln or spyware threatid?

Preferly from within the box itself...

And now for an observation:

I tried searching for eicar in the threat vault and obviously there are four different (?) eicars registered:

2739329 Virus/Win32.eicar-av-test.b

2459563 Virus/DOS.eicar_test_file.j

2101399 Virus/Win32.eicartestfile.e

2069593 Virus/Win32.eicartestfile.bh

The first three can be opened:

https://threatvault.paloaltonetworks.com/Home/VirusDetail/2739329

https://threatvault.paloaltonetworks.com/Home/VirusDetail/2459563

https://threatvault.paloaltonetworks.com/Home/VirusDetail/2101399

But the fourth just wont load when clicking on it the the results:

https://threatvault.paloaltonetworks.com/Home/VirusDetail/2069593

however the url (when written manually in the address field) works.

And now for the added feature:

All four reports that they where added in content-db v960 (2013-02-28) !?!?!?

Content Release     960 (2/28/2013)

And... looking at each page it clearly looks like output from wildfire... but the true eicar testfile wont try to change netsh.exe settings, dump exe files, alter register keys etc... or did I miss what eicar testfile is supposed to do? :smileysilly:

Download ° EICAR - European Expert Group for IT-Security

Also as a sidenote the threatid for the true eicar testfile seems to be threatid 100000, but this threatid cannot be located in the threat vault!?

1 accepted solution

Accepted Solutions

L5 Sessionator

First  Answer

Where and how can I see what is the default action for a particular threat, vuln or spyware threatid?

See Default Action.PNG

View solution in original post

4 REPLIES 4

L5 Sessionator

First  Answer

Where and how can I see what is the default action for a particular threat, vuln or spyware threatid?

See Default Action.PNG

L5 Sessionator

Response to your Observation : I had to visit Threat Vault and search for the ID: 2069593 the first time and now it opens up every single time.

I could add Threat Exception which validates that Threat ID for 100000

EicarTestFile.PNG

Ohh... I guess I missed that checkbox in the lower left Smiley Happy

Also I assume that AV signatures doesnt have any default action or such attached to them?

Regarding Eicar I was more thinking of why there are four of them and why threatid 100000 isnt searchable through the threat vault webpage?

I just tried to open each of those links to the Threat Vault in the original post, and I had to close the tabs and open them a second time for them to work (on each individual link)

It seems that some sort of web session or cookie or whatever gets established the fist time the link is visited, but the page doesn't display the first time. When you hit the link for the second time the actual page displays. Sounds like a session thing to me.

  • 1 accepted solution
  • 3525 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!