09-11-2025 12:30 PM
We have a file (Filex.exe) that is throwing blocks of the following type
|
Threat Type
|
wildfire-virus
|
|
Threat ID/Name
|
trojan/Win32 EXE.crypt.aexg
|
|
ID
|
213019932 (View in Threat Vault)
|
How do I add this exclude this file from alerting? I went into Object > Security Objects > Antivirus > the profile > Wildfire Inline ML, and I added the file name and partial hash (not sure I fully understand partial hash. I used the first 31 characters of the sha256). We are still getting alerts for this file though.
Any ideas?
09-12-2025 01:18 AM
Hi @Verac22 ,
It looks like the threat type is identified as "wildfire-virus" and not as "ml-virus".
There's a nuance in both of these threat types as far as I know:
The wildfire-virus threat type comes from a verdict issued by the WildFire cloud analysis. This is a definitive, file-based verdict.
The ml-virus threat type comes from the inline machine learning engine on the firewall
The exception you created on the WildFire Inline ML page only applies to detections made by the inline engine (ml-virus threats). Since the file was categorized as a wildfire-virus by the cloud, the local exception was bypassed.
Here's the KB talking about it:
How to set a File exception or disable WildFire Inline ML model (ml-virus threat types)
Kind regards,
-Kim.
09-18-2025 08:32 AM
@kiwi I think that makes sense. How then do you create an exclusion for the "wildfire-virus" type detections?
09-18-2025 05:23 PM
If you are sure that the file is not malicious, then you can set the exception in the "Signature Exceptions" tab using the Threat ID "213019932".
References:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcrCAC
09-25-2025 01:02 PM
So that allows us to exclude the entire signature. But is there no way to only exclude the particular file by hash or name?
09-25-2025 01:51 PM
The way to handle this really is by reporting the incorrect verdict so that it is corrected and no longer triggers. There's not a way to exclude just that one single hash unless it's an inline detection; the closets you can get to that is creating a specific profile with the threat signature excluded and associating it with a dedicated rule where that file would be matching. Obviously that doesn't mean it will only ever match that one file, but you've created the smallest possible exception as what you can currently with PAN-OS.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
