Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Firewall intercepts Virus between networks. False Positive???

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Firewall intercepts Virus between networks. False Positive???

L3 Networker

Dear Palo Alto experts...,

 

We have various systems in our LAN seperated by our Palo Alto firewall.

 

In the last 24 hours the firewall detected 2.7K times the virus  "Virus/Win32.WGeneric.rktkq"

2018-05-31 10_39_51-FW-PA500-1.png2018-05-31 10_35_11-FW-PA500-1.png

 

The systems are scanned for inventory by two programs. Spiceworks and PDQ inventory. The scan server is on one side of the firewall. The other servers are on the other side of the firewall.

The "Spiceworks" server has been scanned by our Kasperksy AntiVirus solution. No detections here.

 

What could be causing this? And if it is a false positive, what would the next path forward to solve this problem?

 

Any thoughts you might have are very welcome.

 

Remko

 

 

 

1 accepted solution

Accepted Solutions

I do not believe you do. This is the latest reply from Palo Alto

 

we've had a wave of few days last month where our static analysis caused a number of false positives due to an artifact that wasn't such a sure indicator of compromise yet it has had high value in our detectors; once we reviewed that IOC and adjusted it's weight in the static analysis algorithm, everything was fixed (regarding high false-positive rate). However, we still have few hashes to fix verdict on (such as few of those you shared).

I reviewed all the samples and they were flipped due to overly aggressive IOC weight.

View solution in original post

16 REPLIES 16

Community Team Member

Hi @Indorama_Ventures,

 

Configure the firewall to gather a PCAP for the threat.  Then you can send the PCAP to TAC for analysis.

If it's a false positive then likely a content update will fix it.

 

Cheers,

-Kiwi.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Thanks... My apologies for being a bit blond here.. Bit of a newbie I guess. 🙂

How would I go about sending the PCAP to TAC for analysis.

Never done this. Have no idea were to go and where to begin.

Hi @Indorama_Ventures,

 

Enable packet capture in your Antivirus threat profile :

 

2018-05-31_11-29-35.jpg

 

 

This setting will create a PCAP that you can download for analysis on the Monitor > Threat log page.

 

Cheers !

-Kiwi.

 

 

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

I got my self a PCAP file. Thanks for pointing me in the right direction.

 

Now need to find where to upload it for analysis.

Not been able to find this yet.

I noticed I can also exclude this particular finding but perhaps better to wait for the verdict of Palo Alto

Hi @Indorama_Ventures,

 

For PCAP analysis, you can create a support case and upload the file to the case.

 

Cheers !

-Kiwi.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Thanks, it appears I need to go through a local reseller in the Netherlands. I cannot create a case directly. This is cumbersome for just submitting a sample.

 

Thanks for helping me out here. Much appreciated!

 

Remko

Hi @Indorama_Ventures

 

Do you have a wildfire subscription? In yes, you could upload the proplematic executable (as it looks like in your logs the virus is detected the smb transfer of this executable) to wildfire as it will maybe show malicious (this signature was initially created by wildfire). Then you could report an incorrect verdict there without the need to create a case at your reseller.

But the "best" is probably still if you create a case at your reseller (and ask for premium support at next renewal so you will be able to create cases directly 😉

 

Regards,

Remo

Yes we do. 

 

The file (PDQInventoryScanner.exe) as shown in the screenshot is classified as benign. So not sure why it is triggered.

In the screenshot  it also shows certain URL's as the same virus. 

Most likely the inventory scanner also checks cloud services for things like warrenty, etc.

I just do not understand why I have all of a sudden 2.7 K of virusses detected 🙂

 

I have submitted a case now with the local reseller. 

 

Will keep you posted...

 

 

Since when exactly do you have these in the logs? The signature was initially released by wildfire on 2018-05-21 and in normal threat updates on 2018-05-22. So depending when you have installed these updates, you probably have these alerts in the log since then... if this scanner runs continuously to do something.

I started noticing these warnings yesterday. Prior to this, this particular "virus" was not found.

The report runs at night for the last 24 hours.

Yesterday the count was 1973. 

For today (last 24 hours ) the count is 2040

 

It is hard to tell when exactly a scan is triggered. When the scan is > 7 days old. When a new application is installed a scanned is performed, etc.

Strange thing is that is also triggers on URL's

I am not sure why I am seeing these messages?

 

2018-05-31 14_49_42-FW-PA500-1.png

 

 

Hi @Indorama_Ventures

 

Make sure that you also add a packet capture of one of these logs (SMB traffic with an URL as filename) to the case. This either is a very special attack in your network or - probably more likely - a bug.

We also have this very same problem.  Also running PDQ Inventory and Spiceworks.  Do we need to upload a packet capture too?

 

Leo

I do not believe you do. This is the latest reply from Palo Alto

 

we've had a wave of few days last month where our static analysis caused a number of false positives due to an artifact that wasn't such a sure indicator of compromise yet it has had high value in our detectors; once we reviewed that IOC and adjusted it's weight in the static analysis algorithm, everything was fixed (regarding high false-positive rate). However, we still have few hashes to fix verdict on (such as few of those you shared).

I reviewed all the samples and they were flipped due to overly aggressive IOC weight.

  • 1 accepted solution
  • 7377 Views
  • 16 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!