Find out more information from a listed Threat Protection

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Find out more information from a listed Threat Protection

L3 Networker

Hey all,

Love Palo Alto Networks!! Wooo!

Anyway, just wanted to know something, when I go into ACC (Application Command Center) under Threat Protection... and I get something like this...

Nice to know I was protect from a possible Virus, but what is Win32.Generic.deaep? Google doesn't show anything... all the links are pretty much useless as all they do is append what you clicked into the filter on the top, giving you the exact same page..

I'd like to know things like when did this come in? (I can only figure out based on going from 30 days back, to 7 days back and that's about it)

What packets were blocked, used to discover this?
What was the attacking vector? (Web, Flash, local Windows Process, etc)

Then at least I can figure out how the virus almost made it in and stop the source.

(Sadly these were blocked and the "attack victim" was me :S)



4 REPLIES 4

L7 Applicator

The ACC will show results based on the currently selected filter. The default is Last Hour, but that also depends on what you've drilled into.

In the upper-right corner, there are several icons:

2015-05-08_1031.png

In order, they are: Traffic Log; Threat Log; URL Filtering Log; Data Filtering Log; and HIP Match Log

For this, I'd recommend hitting either Traffic or Threat, and then you can see all the details about it.

As for the name, there are tons of vendors who all have different names for the amazing amount of unique malware (tens of millions at least). Naming them can become pointless after a while.Generally if it's listed as "generic", it's one of many, many files that behave maliciously but don't stand out as something that has a unique name. More times than not, it came from WildFire, where we look for malicious activity rather than try to give each file its own identity.

That said, you can always check the Threat Vault: https://threatvault.paloaltonetworks.com/

Searching for 3130952 gives: https://threatvault.paloaltonetworks.com/Home/VirusDetail/3130952

In this case, it has details on four separate files we collected from various sources (possibly including the one you caught). The SHA-256 and MD5 links take you to the WildFire report, showing you all the details about it.

Hope this helps!

Greg Wesson

Thanks for the helpful reply.

You mentioned "Generally if it's listed as "generic", it's one of many, many files that behave maliciously but don't stand out as something that has a unique name"

Does this mean I have a file on my machine that would match the SHA-256 / MD5 signatures? and if so How would I go about removing it?

That depends on your configuration (including licensed options).

If it's HTTP or SMTP, and it tripped a virus signature, chances are it didn't even make it to the client. You can go download the eicar test file if you want to see it in action. You won't get any notification over email if it was blocked as SMTP though, so it all depends on how it was attempted to be delivered to the victim.

I'd recommend checking out the logs, finding whose machine it was, and looking for the file name referenced. If you find it, and the machine has not executed it, just delete the file. If it's infected with malware, then you'll need to revert to a backup before the infection or remove it from wherever it is in terms of the malware itself.

-Greg

I appreciate the help. But that's the thing there is no file name referenced in the supplied Picture, or in the ACC. So That's why I posted here to kind of get an idea of what I am really being protected from and how I can better track it down. I do know who's machine it originated from, and it was one of my play around laptops. The one I install applications I don't' like on my actual workstation (iTunes, Samsung Kies, etc)

  • 2993 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!