04-30-2015 01:17 PM
Someone shared a link with me to a new startup company and I found it had been blocked and listed as malware by a PAN FW -- I am curious if there is a way to determine exactly what occurred that made that site categorized as malware -- and how I can lookup other URL's reason for categorization -- if available.
Thanks,
A
04-30-2015 02:36 PM
Hi Aron,
Are you using Bright cloud or Pan db for URL categorization?
ou can manually verify the category of any URL by entering it on the following web page:
http://www.brightcloud.com/tools/url-ip-lookup.php
https://urlfiltering.paloaltonetworks.com/testasite.aspx
If you do not agree with the categorization of an individual URL/website you can submit a recategorization request on this page:
http://brightcloud.com/support/changerequest.php
You can also clear the Url cache using below command
>clear url-cache url www.xyz.com
Also please check the below document for your reference.
https://live.paloaltonetworks.com/docs/DOC-2227
-regards
Rajiv
04-30-2015 02:39 PM
Rajiv,
Thanks, I am specifically looking for the reason why a URL was chosen to be categorized as malware -- for example xyz.com is malware because software hosted on site was found to be distributing malware for command and control or Cryptolocker...
04-30-2015 02:53 PM
Hi Aron,
I dont think we can provide data on the classification history or how classification happens on the back-end.
If a website was mis-categorized and the best way to find out is look at what other vendors say about it.
You can go to www.virustotal.com and find out what vendors like Kaspersky. Fortinet , BitDefender etc say about the website.
If a majority of vendors classify the website as benign but PAN-DB does not , that means we mis-categorized it. At that point you could submit a request.
How to Submit a Mis-Categorized URL for PAN-DB
-regards
Rajiv
04-30-2015 03:00 PM
To add some color to rsriramoju's statement, we don't supply specific details most of the time because that is part of our detection algorithm.
Generally speaking, a domain is categorized as malware when there are malicious files hosted at the domain, a piece of malware makes calls to that domain, or similar actions.
More times than not I've seen a malicious file hosted on a compromised server on the domain. It could be a legitimate domain, but due to some unpatched (or zero-day) vulnerability, a malicious actor has planted malware on a directory reachable publicly. Incidentally, it's also why reputation-based systems can fail to protect you.
If you own the domain and have a Palo Alto Networks support contract, you can open a support ticket to uncover more specifics.
Best regards,
Greg Wesson
05-04-2015 10:40 AM
If you go to www.virustotal.com you can look up a url and it will have a date saying when it was last scanned and its rating against AV clients. This does not give you the reasons for its categorization nor is it inline with PA's categorization but sometimes can be beneficial when trying to understand a timeline.
05-05-2015 09:17 AM
Thanks, everything in virus total said it was clean --> www.neucoin.org.
however PAN marks as Malware -- I have personal no evidence supporting it being malware or clean which is why I wanted to see reasoning from PAN.
is there a way to follow up with PAN to determine reasoning? I do not want to submit a re categorization because I do not know that it is clean.
05-05-2015 09:27 AM
I am seeing it categorized as Stock Advice and Tools. Maybe they revisited this one for you.
05-05-2015 09:44 AM
Yes it must have just changed within past day or two as my logs in PA show it as Malware on 05-04-2015 at 11:37 est.
however, I'm still curious as to why it was listed as malware for a brief period of time 🙂
05-06-2015 07:39 PM
ajr13,
The web site could have been hosting malware (thus being categorized as malware). If the site administrator was informed and then removed the malware and patched their server to prevent further malware being placed on the server. The site then get a re-categorization request and since the malware is not there anymore it gets classified as it normally should be. This is how I expect it works. Hope this helps.
Phil
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
