This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Eicar and Palo Alto threat-db

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Eicar and Palo Alto threat-db

Go to solution
mikand
L6 Presenter

‎02-28-2013 02:30 PM

First a question:

Where and how can I see what is the default action for a particular threat, vuln or spyware threatid?

Preferly from within the box itself...

And now for an observation:

I tried searching for eicar in the threat vault and obviously there are four different (?) eicars registered:

2739329 Virus/Win32.eicar-av-test.b

2459563 Virus/DOS.eicar_test_file.j

2101399 Virus/Win32.eicartestfile.e

2069593 Virus/Win32.eicartestfile.bh

The first three can be opened:

https://threatvault.paloaltonetworks.com/Home/VirusDetail/2739329

https://threatvault.paloaltonetworks.com/Home/VirusDetail/2459563

https://threatvault.paloaltonetworks.com/Home/VirusDetail/2101399

But the fourth just wont load when clicking on it the the results:

https://threatvault.paloaltonetworks.com/Home/VirusDetail/2069593

however the url (when written manually in the address field) works.

And now for the added feature:

All four reports that they where added in content-db v960 (2013-02-28) !?!?!?

Content Release     960 (2/28/2013)

And... looking at each page it clearly looks like output from wildfire... but the true eicar testfile wont try to change netsh.exe settings, dump exe files, alter register keys etc... or did I miss what eicar testfile is supposed to do? :smileysilly:

Download ° EICAR - European Expert Group for IT-Security

Also as a sidenote the threatid for the true eicar testfile seems to be threatid 100000, but this threatid cannot be located in the threat vault!?

Labels:
0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
UhMayYeah
L5 Sessionator

‎02-28-2013 04:05 PM

First  Answer

Where and how can I see what is the default action for a particular threat, vuln or spyware threatid?

See Default Action.PNG

View solution in original post

0 Likes Likes
4 REPLIES 4

Go to solution
UhMayYeah
L5 Sessionator

‎02-28-2013 04:05 PM

First  Answer

Where and how can I see what is the default action for a particular threat, vuln or spyware threatid?

See Default Action.PNG

0 Likes Likes

Go to solution
UhMayYeah
L5 Sessionator

‎02-28-2013 04:11 PM

Response to your Observation : I had to visit Threat Vault and search for the ID: 2069593 the first time and now it opens up every single time.

I could add Threat Exception which validates that Threat ID for 100000

EicarTestFile.PNG

Go to solution
mikand
L6 Presenter
In response to UhMayYeah

‎02-28-2013 11:25 PM

Ohh... I guess I missed that checkbox in the lower left Smiley Happy

Also I assume that AV signatures doesnt have any default action or such attached to them?

Regarding Eicar I was more thinking of why there are four of them and why threatid 100000 isnt searchable through the threat vault webpage?

0 Likes Likes

Go to solution
ericgearhart
L4 Transporter
In response to UhMayYeah

‎03-01-2013 07:43 AM

I just tried to open each of those links to the Threat Vault in the original post, and I had to close the tabs and open them a second time for them to work (on each individual link)

It seems that some sort of web session or cookie or whatever gets established the fist time the link is visited, but the page doesn't display the first time. When you hit the link for the second time the actual page displays. Sounds like a session thing to me.

0 Likes Likes
  • 1 accepted solution
  • 3518 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks