False Positive Virus

cancel
Showing results for 
Search instead for 
Did you mean: 

False Positive Virus

L2 Linker

We use Total Defense for an antivirus program.  It appears that one of the executable (both the 32 bit and 64 bit versions) in the latest update is being flagged as a virus, Virus/Win32.WGeneric.bnrd, the other executable files are fine.  When I look at the Data Filtering log for Wildfire I see it says that it was forwarded.  But when I look at the Wildfire report there is no report of that specific executable in the history and I don't see any files in Wild Fire reports in the last 7 days.  So I believe I have a two fold issue, one the false positive doesn't allow our users to the the latest update and the fact nothing seems to be reaching Wildfire.

I opened a ticket 8 days ago when I first saw the problem, but they want a copy of the executable.  Unfortunately I can't find it because it is never getting to Wildfire and the installation files are inside a .pkg file and can't find a way to extract it.

3 REPLIES 3

L5 Sessionator

A "forward" action simply means that the WildFire action was taken for the file, but didn't result in an actual file upload (because it was a trusted file, or WildFire has already seen the file).


For the false positive issue, you can enable "Data Capture" on data filtering setting and get the file. Or if the issue is reproducible, you can have captures at firewall, initiate anti-virus update and attach those pcaps to the case you opened earlier.


Also on the same note, "wildfire-upload-success" means the file was actually uploaded to the cloud because the cloud had not seen the file before, and it wasn't signed by a trusted signer.


Hope this helps.Thanks

L4 Transporter

Hello,

The detailed issue is documented at the following link indicating as an expected behavior.

https://live.paloaltonetworks.com/docs/DOC-3369

Regards

Parth

Thanks for the reply, as part of my ticket I had included the .pcap file from one of the "threats".  The issue is still happening, but the bizarre thing is only happening with a few users, most of the users have been able to do updates, myself included.

As for the Wildfire that is what I thought from reading about it in the forums, but the fact there was no traffic reported for anything for 8 days had me a little concerned.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!