PA500 says virus - virus total says no

Reply
Highlighted
L1 Bithead

PA500 says virus - virus total says no

We have a bunch of files that we created that we need to upload via ftp to a remote server through the PA.

The files trip the virus detector in the PA.  Here's a syslog entry with some identifying information changed:

2014-06-16T15:22:31+10:00 10.84.1.33 [user warning] 22:31,000XXXXXXX,THREAT,virus,1,2014/06/16 15:22:25,10.84.20.250,50.28.93.0,0.0.0.0,0.0.0.0,I2E-ftp-rule-ftp,,,ftp,vsys1,Interior,External,ethernet1/2,ethernet1/1,mylog,2014/06/16 15:22:30,41521,1,36871,32182,0,0,0x0,tcp,deny,"myfile-06.06.0000-Beta-win64.exe",Virus/Win32.WGeneric.cpfjf(2455553),any,medium,client-to-server,236674,0x0,10.0.0.0-10.255.255.255,United States,0,

I scanned these files with several AV programs including clamav and I was able to upload it to virustotal (through the PA!) where it scanned completely clean.

If I turn off virus checking on our ftp rule then someone may be able to download files with viruses so I don't want to do that but we need these files uploaded.

How to do that?

Highlighted
L5 Sessionator

Re: PA500 says virus - virus total says no

Hello gmoss,

Instead turning off the AV scan for the entire rule, you can put a threat exception for that Threat ID (2455553) in the relevant AV profile.

Here is a document that explains the same:

How to Add a Threat Exceptions

Or you can also exempt the IP addresses for that threat, so that exception is applied to a particular set of source and destination IP addresses. This is  more granular approach than the previous one:

How To Add Exempt IP Addresses From the Threat Monitor Logs

Hope that helps.

Thanks and regards,

Kunal Adak

Highlighted
L1 Bithead

Re: PA500 says virus - virus total says no

Adding a threat exception means that if we ever get one of those we wouldn't be protected.

I want to be able to upload OK but have files tested on download.

Your answer, while helpful, doesn't answer the problem that we created these files and no-one else could find a virus in them.

I tried the "how to add exempt ip addresses" but it didn't work.  I never get anything in the lower boxes and I never get an add button.

I created a new AV profile for this rule with this virus exempted from the list.  But as I said, this won't protect us in the case someone tries to download a file that really has this virus.

Highlighted
L7 Applicator

Re: PA500 says virus - virus total says no

Hello Gmoss,

Yes, you are correct. If you add a threat exception, that means, for the time being you  wouldn't be protected. But, you always have an option to open a support case and provide detail information to modify the database in future release.


Secondly, there is no option to add exempt ip address on "Anti-Virus" profile. That option is avilable for "Vulnerability-profile".


FYI:

antivirus.JPG

Hope this helps.

Thanks

Highlighted
L1 Bithead

Re: PA500 says virus - virus total says no

It'd be good to open a support case but how do I do that?  Every time I use this site everything has changed.  When I try and make a support case I get redirected to salesforce.com and I have no login there.

Highlighted
L7 Applicator

Re: PA500 says virus - virus total says no

Hello Gmoss,


If you have a valid support contact with PAN ,Please login into https://support.paloaltonetworks.com/ and go to Case-Management. There you can create a  new support case.

OR

Please drop an email to support@paloaltonetworks.com.


Thanks

Highlighted
L1 Bithead

Re: PA500 says virus - virus total says no

Like I said when I go there and click on case management I get redirected to a salesforce.com login page.  I have no idea what to do then  I have no salesforce login.

I finally got the redirect to work but I can't apparently log a case because my support has to go through another company.

Highlighted
L3 Networker

Re: PA500 says virus - virus total says no

When you click on the Case Management link, you should be taken to the following page.

2014-06-18_07-42-09.png

Click on the New Case button to open a case.

If you still encounter issues, open a case by calling Support.  Refer to Contact Us for Support phone numbers.

Highlighted
L3 Networker

Re: PA500 says virus - virus total says no

Support mechanism of PANW is rather simple - contact your reseller as he probably is your first line of support.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!