PAN-DB Re-Categorization Requests

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PAN-DB Re-Categorization Requests

L6 Presenter

Just curious what everyone's expereince / success has been when trying to get URLs re-categorized, especially malicious domains?

 

I don't seem to have much luck instilling a sense of urgency with support on these requests.

 

I submitted a support case for a domain on a domain on the 10th that we see phishing/credential harvesting and I've still got no action from support (on a Case I submitted as a high).

 

Anything I could do to get better results?  I'd think Palo Alto, for all intents and purposes, a network defense company would have more timely reponses to these requests.

6 REPLIES 6

L6 Presenter

I should add, it was categorized as unkown and got categorized as "real-estate" prior to the 10th, which precipitated the support request.

 

We submitted the inital one as phishing, to which Palo's categorization was "real-estate."

Hi Brandon

 

Did you try submitting the URL through https://urlfiltering.paloaltonetworks.com/ ?

This should trigger an direct request with the URL DB team to verify a url manually.

 

 

 

regards

Tom

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

So far I only had a couple of requests for sites that were marked as malware to be re-evaluated. And PA were really quick to check and change to some safe category.

 

 

 

Yes.

 

We do the initial "automated process" either through URL logs or direct on the site.

 

I can recount at least 5 times where people at my company "suggest" a site as "malware" or "phishing" only to have the canned response thanks but no thanks.

 

So we submit an case, which is what I did in this instance as well.  We're now going on 8 days with no resolution for the case.

 

This screen shot was included in the support case...How is this not an automatic action...Tip...I don't work for "swlacomps.com" they shouldn't be asking my users to put their credentials in.

 

Phishing.JPG

I had a problem convincing PA a certain file to be malware. The file in question is IZArc_Setup.exe with SHA-256 hash 4d5882c57875b86cd6095e3bf2c64785cb878fd9d836d2091c9585198e2b4c75

 

15/55 AV vendors on VirusTotal recognise it as virus. (https://www.virustotal.com/en/file/4d5882c57875b86cd6095e3bf2c64785cb878fd9d836d2091c9585198e2b4c75/...

It downloads a file (SHA256: ffaf52d2f7c34df344c21a532a52711dbebcbb77a5e00b8aad46d6c247ed8718) from a domain which is marked as malware domain by PA DB and BrightCloud (sub.dunhiri.com/installers/bi_downloader/1433912751207/setup.exe).

The file it downloads is marked as benign by WF portal, but  26/56 AV vendors according to VirusTotal mark it as virus (https://www.virustotal.com/en/file/ffaf52d2f7c34df344c21a532a52711dbebcbb77a5e00b8aad46d6c247ed8718/...

 

I tried to change verdict for this 3 times but I was never succesful. So yeah it's a mission to convince PA some file is actually malware. A bit dissapointing.

 

 

 

 

 

Going on 11 days now...Still no action in the categorization request.

Geeze I sure hope no other companies user credentials have been stolen in this time.

  • 3500 Views
  • 6 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!