I'm hoping someone can help me with a threat detected by my PA500 (details below).
I recently found entries in my Threat logs suggesting an SSL-VPN user was malware compromised. Upon closer inspection, I cannot determine exactly the nature of the threat, nor how to detect/remove the threat from the client machine. I'm hoping this is not a false positive identifying a normal function as malware.(GoogleToolbarInstaller_updater_signed.exe)
I'm not finding answers in Palo Alto's Threat database, nor in the Knowledgebase. But maybe someone here has some experience or insight regarding this threat? I'd appreciate some help, thanks!
How real is this "virus"? (I can't find detailed descriptions on PaloAlto, let alone other sources)
How do I remove the infection?
Is this expected behavior from GoogleToolbarInstaller updater?
Why is this "bad"?
|Domain||Receive Time||Serial #||Type||Threat/Content Type||Config Version||Generate Time||Source address||Destination address||NAT Source IP||NAT Destination IP||Rule||Source User||Destination User||Application||Virtual System||Source Zone||Destination Zone||Inbound Interface||Outbound Interface||Log Action||Time Logged||Session ID||Repeat Count||Source Port||Destination Port||NAT Source Port||NAT Destination Port||Flags||IP Protocol||Action||URL||Threat/Content Name||Category||Severity||Direction|
|1||08-07-11 06:30||0006C1xxxxxx||THREAT||virus||1||08-07-11 06:30||220.127.116.11||172.16.1.1||18.104.22.168||71.180.xxx.xxx||rule1||rmanik||web-browsing||vsys1||L3-untrust||SSL-VPN||tunnel.1||ethernet1/5||08-07-11 06:30||50509||2||80||49797||80||55650||0x400000||tcp||deny||GoogleToolbarInstaller_updater_signed.exe||Virus/Win32.slugin.iyz(2385375)||any||medium||server-to-client|
Palo Alto Threat Database 3.1 yields the following description:
Attack Name Worm/W32.generic.fklrm Description Threat ID 2385375
The log detail is as follows:
Generate Time: 2011/07/08 06:30:32
Receive Time: 2011/07/08 06:30:37
Session ID: 50509
Threat/Content Name: Virus/Win32.slugin.iyz
Threat/Content Type: virus
IP Protocol: tcp
Repeat Count 2
Virtual System: vsysl
Device: 0006C1xxxxxx (myPa500Serial)
Source address: 22.214.171.124
Source Port: 80
Source Zone: L3-untrust
Inbound Interface: tunnel.1
NAT Source IP 126.96.36.199
NAT Source Port: 80
Destination User: rmanik
Destination address: 172.16.1.1
Destination Port: 49797
Destination Zone: SSL-VPN
Outbound Interface: ethernetl/5
NAT Destination IP: 71.180.xxx.xxx (myExternalPublicIp)
NAT Destination Port: 55650
Receive Time log Type Application Action Rule Bytes Pkts Severity Category URL
07/08 06:30:37 threat virus web-browsing deny rulel medium any GoogleToolbarInstaller_updater_signed.exe
07/08 06:32:02 traffic end web-browsing allow rule I 12,354 15
|URL Filtering version||3637|
|GlobalProtect datafile version||0|
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!