12-08-2010 04:00 PM
Hi,
I wanted to know what you usually do when you see a Virus detected on the PA.
How do you check that it is not a false positive?
Do you use the packet capture in the case of a virus?
Does the name/id of the Virus help you to find more details on the web?
Thanks
12-10-2010 08:37 AM
Hello,
To check if it is false positive, you will need to open a case with support and provide them the virus/threat information and also if possible a sample pcap.
02-02-2011 11:11 PM
Hi LoopSupport,
You can use pcaps in the case of a virus, and the name and threat ID may help you find more detailed data generally on the internet. There are plenty of sites out there that have research data on viruses. The threat ID's may not always match though, and there are quite often variants of different viruses, so it may or may not help you with internet research in the end. As far as false positives, viruses are much more rare as false positives. It's not impossible, but it's far more rare than say, IPS signature false positives. If you're suspicious of a false positive virus detection, the PAN support team can help here. The PAN threat team has been presented cases in the past where a customer suspected a false positive, and in the end it turned out to be a true virus. This was determined by doing packet captures of the anomalous behavior and examination by the PAN threat team. Also don't forget that if you do come across a false positive, you always have the ability to create exceptions in your antivirus profile.
Hope this helps!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
