09-18-2015 06:09 AM
Just curious what everyone's expereince / success has been when trying to get URLs re-categorized, especially malicious domains?
I don't seem to have much luck instilling a sense of urgency with support on these requests.
I submitted a support case for a domain on a domain on the 10th that we see phishing/credential harvesting and I've still got no action from support (on a Case I submitted as a high).
Anything I could do to get better results? I'd think Palo Alto, for all intents and purposes, a network defense company would have more timely reponses to these requests.
09-18-2015 06:11 AM
I should add, it was categorized as unkown and got categorized as "real-estate" prior to the 10th, which precipitated the support request.
We submitted the inital one as phishing, to which Palo's categorization was "real-estate."
09-18-2015 06:15 AM
Hi Brandon
Did you try submitting the URL through https://urlfiltering.paloaltonetworks.com/ ?
This should trigger an direct request with the URL DB team to verify a url manually.
regards
Tom
09-18-2015 06:18 AM
So far I only had a couple of requests for sites that were marked as malware to be re-evaluated. And PA were really quick to check and change to some safe category.
09-18-2015 06:28 AM
Yes.
We do the initial "automated process" either through URL logs or direct on the site.
I can recount at least 5 times where people at my company "suggest" a site as "malware" or "phishing" only to have the canned response thanks but no thanks.
So we submit an case, which is what I did in this instance as well. We're now going on 8 days with no resolution for the case.
This screen shot was included in the support case...How is this not an automatic action...Tip...I don't work for "swlacomps.com" they shouldn't be asking my users to put their credentials in.
09-18-2015 06:46 AM
I had a problem convincing PA a certain file to be malware. The file in question is IZArc_Setup.exe with SHA-256 hash 4d5882c57875b86cd6095e3bf2c64785cb878fd9d836d2091c9585198e2b4c75
15/55 AV vendors on VirusTotal recognise it as virus. (https://www.virustotal.com/en/file/4d5882c57875b86cd6095e3bf2c64785cb878fd9d836d2091c9585198e2b4c75/...
It downloads a file (SHA256: ffaf52d2f7c34df344c21a532a52711dbebcbb77a5e00b8aad46d6c247ed8718) from a domain which is marked as malware domain by PA DB and BrightCloud (sub.dunhiri.com/installers/bi_downloader/1433912751207/setup.exe).
The file it downloads is marked as benign by WF portal, but 26/56 AV vendors according to VirusTotal mark it as virus (https://www.virustotal.com/en/file/ffaf52d2f7c34df344c21a532a52711dbebcbb77a5e00b8aad46d6c247ed8718/...
I tried to change verdict for this 3 times but I was never succesful. So yeah it's a mission to convince PA some file is actually malware. A bit dissapointing.
09-21-2015 11:50 AM
Going on 11 days now...Still no action in the categorization request.
Geeze I sure hope no other companies user credentials have been stolen in this time.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
