This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Firewall intercepts Virus between networks. False Positive???

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Firewall intercepts Virus between networks. False Positive???

Go to solution
Indorama_Ventures
L3 Networker

‎05-31-2018 01:46 AM

Dear Palo Alto experts...,

 

We have various systems in our LAN seperated by our Palo Alto firewall.

 

In the last 24 hours the firewall detected 2.7K times the virus  "Virus/Win32.WGeneric.rktkq"

2018-05-31 10_39_51-FW-PA500-1.png2018-05-31 10_35_11-FW-PA500-1.png

 

The systems are scanned for inventory by two programs. Spiceworks and PDQ inventory. The scan server is on one side of the firewall. The other servers are on the other side of the firewall.

The "Spiceworks" server has been scanned by our Kasperksy AntiVirus solution. No detections here.

 

What could be causing this? And if it is a false positive, what would the next path forward to solve this problem?

 

Any thoughts you might have are very welcome.

 

Remko

 

 

 

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
Indorama_Ventures
L3 Networker
In response to Leo_Dittemore

‎06-06-2018 11:19 PM

I do not believe you do. This is the latest reply from Palo Alto

 

we've had a wave of few days last month where our static analysis caused a number of false positives due to an artifact that wasn't such a sure indicator of compromise yet it has had high value in our detectors; once we reviewed that IOC and adjusted it's weight in the static analysis algorithm, everything was fixed (regarding high false-positive rate). However, we still have few hashes to fix verdict on (such as few of those you shared).

I reviewed all the samples and they were flipped due to overly aggressive IOC weight.

View solution in original post

0 Likes Likes
16 REPLIES 16

Go to solution
kiwi
Community Team Member

‎05-31-2018 02:16 AM

Hi @Indorama_Ventures,

 

Configure the firewall to gather a PCAP for the threat.  Then you can send the PCAP to TAC for analysis.

If it's a false positive then likely a content update will fix it.

 

Cheers,

-Kiwi.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
0 Likes Likes

Go to solution
Indorama_Ventures
L3 Networker
In response to kiwi

‎05-31-2018 02:25 AM

Thanks... My apologies for being a bit blond here.. Bit of a newbie I guess. 🙂

How would I go about sending the PCAP to TAC for analysis.

Never done this. Have no idea were to go and where to begin.

0 Likes Likes

Go to solution
kiwi
Community Team Member
In response to Indorama_Ventures

‎05-31-2018 02:34 AM

Hi @Indorama_Ventures,

 

Enable packet capture in your Antivirus threat profile :

 

2018-05-31_11-29-35.jpg

 

 

This setting will create a PCAP that you can download for analysis on the Monitor > Threat log page.

 

Cheers !

-Kiwi.

 

 

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
0 Likes Likes

Go to solution
Indorama_Ventures
L3 Networker
In response to kiwi

‎05-31-2018 02:53 AM

I got my self a PCAP file. Thanks for pointing me in the right direction.

 

Now need to find where to upload it for analysis.

Not been able to find this yet.

I noticed I can also exclude this particular finding but perhaps better to wait for the verdict of Palo Alto

0 Likes Likes

Go to solution
kiwi
Community Team Member
In response to Indorama_Ventures

‎05-31-2018 04:18 AM

Hi @Indorama_Ventures,

 

For PCAP analysis, you can create a support case and upload the file to the case.

 

Cheers !

-Kiwi.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
0 Likes Likes

Go to solution
Indorama_Ventures
L3 Networker
In response to kiwi

‎05-31-2018 04:28 AM

Thanks, it appears I need to go through a local reseller in the Netherlands. I cannot create a case directly. This is cumbersome for just submitting a sample.

 

Thanks for helping me out here. Much appreciated!

 

Remko

0 Likes Likes

Go to solution
Remo
L7 Applicator
In response to Indorama_Ventures

‎05-31-2018 05:01 AM - edited ‎05-31-2018 05:14 AM

Hi @Indorama_Ventures

 

Do you have a wildfire subscription? In yes, you could upload the proplematic executable (as it looks like in your logs the virus is detected the smb transfer of this executable) to wildfire as it will maybe show malicious (this signature was initially created by wildfire). Then you could report an incorrect verdict there without the need to create a case at your reseller.

But the "best" is probably still if you create a case at your reseller (and ask for premium support at next renewal so you will be able to create cases directly 😉

 

Regards,

Remo

0 Likes Likes

Go to solution
Indorama_Ventures
L3 Networker
In response to Remo

‎05-31-2018 05:22 AM

Yes we do. 

 

The file (PDQInventoryScanner.exe) as shown in the screenshot is classified as benign. So not sure why it is triggered.

In the screenshot  it also shows certain URL's as the same virus. 

Most likely the inventory scanner also checks cloud services for things like warrenty, etc.

I just do not understand why I have all of a sudden 2.7 K of virusses detected 🙂

 

I have submitted a case now with the local reseller. 

 

Will keep you posted...

 

 

0 Likes Likes

Go to solution
Remo
L7 Applicator
In response to Indorama_Ventures

‎05-31-2018 05:32 AM

Since when exactly do you have these in the logs? The signature was initially released by wildfire on 2018-05-21 and in normal threat updates on 2018-05-22. So depending when you have installed these updates, you probably have these alerts in the log since then... if this scanner runs continuously to do something.

0 Likes Likes

Go to solution
Indorama_Ventures
L3 Networker
In response to Remo

‎05-31-2018 05:52 AM

I started noticing these warnings yesterday. Prior to this, this particular "virus" was not found.

The report runs at night for the last 24 hours.

Yesterday the count was 1973. 

For today (last 24 hours ) the count is 2040

 

It is hard to tell when exactly a scan is triggered. When the scan is > 7 days old. When a new application is installed a scanned is performed, etc.

Strange thing is that is also triggers on URL's

I am not sure why I am seeing these messages?

 

2018-05-31 14_49_42-FW-PA500-1.png

 

 

0 Likes Likes

Go to solution
Remo
L7 Applicator
In response to Indorama_Ventures

‎05-31-2018 06:53 AM

Hi @Indorama_Ventures

 

Make sure that you also add a packet capture of one of these logs (SMB traffic with an URL as filename) to the case. This either is a very special attack in your network or - probably more likely - a bug.

0 Likes Likes

Go to solution
Leo_Dittemore
L0 Member
In response to Remo

‎06-06-2018 12:53 PM

We also have this very same problem.  Also running PDQ Inventory and Spiceworks.  Do we need to upload a packet capture too?

 

Leo

0 Likes Likes

Go to solution
Indorama_Ventures
L3 Networker
In response to Leo_Dittemore

‎06-06-2018 11:19 PM

I do not believe you do. This is the latest reply from Palo Alto

 

we've had a wave of few days last month where our static analysis caused a number of false positives due to an artifact that wasn't such a sure indicator of compromise yet it has had high value in our detectors; once we reviewed that IOC and adjusted it's weight in the static analysis algorithm, everything was fixed (regarding high false-positive rate). However, we still have few hashes to fix verdict on (such as few of those you shared).

I reviewed all the samples and they were flipped due to overly aggressive IOC weight.

0 Likes Likes
  • 1 accepted solution
  • 6592 Views
  • 16 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks