07-12-2011 07:53 AM
I'm hoping someone can help me with a threat detected by my PA500 (details below).
I recently found entries in my Threat logs suggesting an SSL-VPN user was malware compromised. Upon closer inspection, I cannot determine exactly the nature of the threat, nor how to detect/remove the threat from the client machine. I'm hoping this is not a false positive identifying a normal function as malware.(GoogleToolbarInstaller_updater_signed.exe)
I'm not finding answers in Palo Alto's Threat database, nor in the Knowledgebase. But maybe someone here has some experience or insight regarding this threat? I'd appreciate some help, thanks!
How real is this "virus"? (I can't find detailed descriptions on PaloAlto, let alone other sources)
How do I remove the infection?
Is this expected behavior from GoogleToolbarInstaller updater?
Why is this "bad"?
| Domain | Receive Time | Serial # | Type | Threat/Content Type | Config Version | Generate Time | Source address | Destination address | NAT Source IP | NAT Destination IP | Rule | Source User | Destination User | Application | Virtual System | Source Zone | Destination Zone | Inbound Interface | Outbound Interface | Log Action | Time Logged | Session ID | Repeat Count | Source Port | Destination Port | NAT Source Port | NAT Destination Port | Flags | IP Protocol | Action | URL | Threat/Content Name | Category | Severity | Direction |
| 1 | 08-07-11 06:30 | 0006C1xxxxxx | THREAT | virus | 1 | 08-07-11 06:30 | 173.194.24.83 | 172.16.1.1 | 173.194.24.83 | 71.180.xxx.xxx | rule1 | rmanik | web-browsing | vsys1 | L3-untrust | SSL-VPN | tunnel.1 | ethernet1/5 | 08-07-11 06:30 | 50509 | 2 | 80 | 49797 | 80 | 55650 | 0x400000 | tcp | deny | GoogleToolbarInstaller_updater_signed.exe | Virus/Win32.slugin.iyz(2385375) | any | medium | server-to-client |
Palo Alto Threat Database 3.1 yields the following description:
Virus/Win32.slugin.iyz (2385375)
Attack Name Worm/W32.generic.fklrm Description Threat ID 2385375
The log detail is as follows:
Log Details
Time
Generate Time: 2011/07/08 06:30:32
Receive Time: 2011/07/08 06:30:37
General
Session ID: 50509
Threat/Content Name: Virus/Win32.slugin.iyz
Threat/Content Type: virus
Action: deny
Severity: medium
Application: web-browsing
IP Protocol: tcp
Rule: rule1
Log Action:
Category: any
Repeat Count 2
Virtual System: vsysl
Misc: GoogleToolbarInstaller_updater_signed.exe
Device: 0006C1xxxxxx (myPa500Serial)
Misc
Captive Portal:
Proxy Transaction:
Decrypted:
Packet Capture:
Direction: server-to-client
Source
Source User:
Source address: 173.194.24.83
Source Port: 80
Source Zone: L3-untrust
Inbound Interface: tunnel.1
NAT Source IP 173.194.24.83
NAT Source Port: 80
Destination
Destination User: rmanik
Destination address: 172.16.1.1
Destination Port: 49797
Destination Zone: SSL-VPN
Outbound Interface: ethernetl/5
NAT Destination IP: 71.180.xxx.xxx (myExternalPublicIp)
NAT Destination Port: 55650
Receive Time log Type Application Action Rule Bytes Pkts Severity Category URL
07/08 06:30:37 threat virus web-browsing deny rulel medium any GoogleToolbarInstaller_updater_signed.exe
07/08 06:32:02 traffic end web-browsing allow rule I 12,354 15
My PA500:
| Software version | 4.0.2 |
| SSL-VPN Client | 1.3.0 |
| GlobalProtect Client | 0.0.0 |
| Application version | 255-1051 |
| Threat version | 254-1048 |
| Antivirus version | 515-673 |
| URL Filtering version | 3637 |
| GlobalProtect datafile version | 0 |
07-12-2011 10:36 AM
Terina - We've had several downloads of the GoogleToolbarInstaller_updater_signed.exe blocked by the same Threat ID 2385375. Suspecting that it might be a false positive, I opened a case on July 5th. It is still being researched. -Craig
11-03-2011 07:11 AM
Curious if there has been any movement on this issue. I am seeing this alot now on our PA500 classified as Trojan/Win32.patched.ocmj(2569370). It seems to be associated with the Google-Update application.
11-03-2011 09:35 AM
Hi mwaters31
I would open up a case with Support that includes the following:
1) Pcap of the threat
2) Output from the command >show system info
3) A snapshot of the threat via the threat log
We'll investigate promptly and provide a bug fix if it's deemed as a false positive.
11-10-2011 09:26 AM
+1. I'd like to see the Threat Details include a MD5 Checksum so we may look at virustotal ourselves. Perhaps this will be possible with Wildfire?
11-30-2011 07:59 AM
Hello. I was wondering if there has been any updates to whether this is a legit threat or false positive?
12-01-2011 07:34 AM
According to the Tech Support working on the case I opened, a bug was found and was subsequently fixed in virus definition version 605.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
