Havex Malware

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Havex Malware

L1 Bithead

Hi all,

Do you have any information about PAN detection capability for the Havex malware family: http://www.f-secure.com/weblog/archives/00002718.html

Threat vault seems to produce no hits at the moment.

Tuomo

26 REPLIES 26

benign.png

I only see one SHA reported as malware and rest as benign.

Please open a case with palo alto support and they'll address the issue with wildfire.

I don't have a sample of the malware, I'm just "stirring the pot" to be honest

Interesting info in Brightclouds Webinar on Dragonfly/havex right now,

I asked if there has been any information exchange between Symantec (which has a lot of information - and protect users - on Dragonfly/havex) and Paloalto. They said the did info ex with a lot of company, but not PAN - why not?

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Hi

According to latest Application and Threat Content Release Notes for version 445

New Anti-spyware Signatures (5)

SeverityIDAttack NameDefault ActionMinimum PAN-OS VersionMaximum PAN-OS Version
critical13471DeepPanda.Gen Command And Control Trafficalert3.1.0
critical13472DeepPanda.Gen Command And Control Trafficalert3.1.0
critical13479Gypthoy.Gen Command And Control Trafficalert3.1.0
critical13480PowerLoader.Gen Command And Control Trafficalert3.1.0
critical13488Havex.Gen Command And Control Trafficalert

3.1.0

Regards

Slawek

L4 Transporter

Havex is still flagged as benign by the public WildFire page.

Havex is listed here:

https://threatvault.paloaltonetworks.com/Home/VirusDetail/2889719

But the hash shows benign, here:

https://threatvault2.paloaltonetworks.com/detailreport/7933809aecb1a9d2110a6fd8a18009f2d9c58b3c7dbda...

I've been looking for an official answer on how the information from AV feeds back into Wildfire and the answer seems to be it does not.  Wildfire is viewed as an early warning behavioral analysis and the verdicts from this are currently remaining in place.  The feeling is that the AV signatures will catch the file anyway so there is no need to feed the information back into Wildfire.

I don't think I like that answer.  But I do understand that creating that feedback process and re-evaluation on issues like Havex are just an investment of time PA is not making right now.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Hi Steven -- The confusion here stems from the fact that folks are looking at threatvault2.paloaltonetworks.com rather than wildfire.paloaltonetworks.com. To be clear, the Havex samples are classified as malware, have been since June 24, and would show up with that verdict if seen on a firewall that has access to the WildFire cloud today. There absolutely is a feedback mechanism in place here.

The individual VM verdicts shown in ThreatVault (e.g. "This sample was found to be benign on this virtual machine") are an oversight on our part -- they don't always correspond to the current disposition of the sample, and weren't intended for display in ThreatVault reports. I've filed a bug to have them removed so we can avoid confusion on this issue in the future.

,

Thanks for the response on the process.  This is the response I was looking for ultimately from PA.  I do have one question then. 

If the threat vault vm verdict is not the correct procedure to determine a files status, what is the procedure we should use to verify a files status in Wildfire?

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Hi Steven -- In the case of ThreatVault, the mere inclusion of a file indicates its status: Every file in ThreatVault meets the criteria of 1) Is a threat, and 2) Has protections available. If a file doesn't appear in ThreatVault, you can check it through the WildFire portal (or on the firewall), or by retrieving the PDF or XML report using the WildFire API.

cblackmore, thanks for the further clarification.  These are all the answers I wanted to hear.  I appreciate knowing that the integration of all these threat detection methods is complete.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
  • 9755 Views
  • 26 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!