Havex Malware

I only see one SHA reported as malware and rest as benign.

Please open a case with palo alto support and they'll address the issue with wildfire.

I don't have a sample of the malware, I'm just "stirring the pot" to be honest

Interesting info in Brightclouds Webinar on Dragonfly/havex right now,

I asked if there has been any information exchange between Symantec (which has a lot of information - and protect users - on Dragonfly/havex) and Paloalto. They said the did info ex with a lot of company, but not PAN - why not?

hyadavalli,

Based on your responses here, I assume you work for PA.  Can you explain what happens with new signatures like this against the existing file database that was deemed benign?

Some of these "benign" files will be previously unknown viruses like Havex.  Does Wildfire check them again against new signatures?

If a previously flagged benign file is uploaded again, is this automatically benign from the previous verdict?

In short, how does PA clean up the hash database to be sure the new viruses are successfully identified?

Hi

According to latest Application and Threat Content Release Notes for version 445

New Anti-spyware Signatures (5)

Regards

Slawek

I've been looking for an official answer on how the information from AV feeds back into Wildfire and the answer seems to be it does not.  Wildfire is viewed as an early warning behavioral analysis and the verdicts from this are currently remaining in place.  The feeling is that the AV signatures will catch the file anyway so there is no need to feed the information back into Wildfire.

I don't think I like that answer.  But I do understand that creating that feedback process and re-evaluation on issues like Havex are just an investment of time PA is not making right now.

Hi Steven -- The confusion here stems from the fact that folks are looking at threatvault2.paloaltonetworks.com rather than wildfire.paloaltonetworks.com. To be clear, the Havex samples are classified as malware, have been since June 24, and would show up with that verdict if seen on a firewall that has access to the WildFire cloud today. There absolutely is a feedback mechanism in place here.

The individual VM verdicts shown in ThreatVault (e.g. "This sample was found to be benign on this virtual machine") are an oversight on our part -- they don't always correspond to the current disposition of the sample, and weren't intended for display in ThreatVault reports. I've filed a bug to have them removed so we can avoid confusion on this issue in the future.

cblackmore ,

Thanks for the response on the process.  This is the response I was looking for ultimately from PA.  I do have one question then. 

If the threat vault vm verdict is not the correct procedure to determine a files status, what is the procedure we should use to verify a files status in Wildfire?

Hi Steven -- In the case of ThreatVault, the mere inclusion of a file indicates its status: Every file in ThreatVault meets the criteria of 1) Is a threat, and 2) Has protections available. If a file doesn't appear in ThreatVault, you can check it through the WildFire portal (or on the firewall), or by retrieving the PDF or XML report using the WildFire API.

cblackmore, thanks for the further clarification.  These are all the answers I wanted to hear.  I appreciate knowing that the integration of all these threat detection methods is complete.