I'm getting a Threat Detection - Virus/malware identified by the name "Virus/Win32.WGeneric.akrgog" when a user tries to open a particular PDF file. When looking at the Threat log I can see the PDF file being blocked and identified as a 'Virus.' In the same session, I can also see additional files with the extension .aspx being allowed. I think it's a false positive, but I'm not able to confirm this. I ran the hash value of the PDF file on Virus Total, and it did not find a match. I know that I can put an exception on the signature and allow the file, but I wanted to see if anyone has a better way to go about this.
If you can verify that the PDF isn't malicious it's likely just a false positive on the threat signature, which isn't that uncommon. You'll either need to create an exception for the traffic once you've verified it isn't a threat, or open a case with TAC and see if the signature doesn't need to be tuned a bit since it was just released at the tale end of June.
I have taken a look at "Virus/Win32.WGeneric.akrgog" in the PANW Threat Vault and cross-checked the SHA256s in the VirusTotal - only 2/10 were identified as malicious and with low detection rates (7/61, 9/62):
By no means should you trust this file to be safe based only on VirusTotal.
I can recommend, if possible, uploading it into sandbox solution to get a bigger picture.
Is this file publicly available? Could you possible share the URL or, at least, SHA256?
@BPry have you seen a lot of FPs on AV/WF signatures?
Thank you for cross checking the hash on Virus Total. Unfortunelty the file is confidential and cannot be shared outside my organization.
I'm curious about the Sandbox option you mentioned, is this is Palo Alto service?
To answer you question, it is not very common that I experience False positives.
Yes, PANW has a dedicated sandbox service - https://www.paloaltonetworks.com/products/secure-the-network/wildfire; it can be integrated with PA firewall, used directly through WidlFire Portal (https://wildfire.paloaltonetworks.com/wildfire/dashboard) or brought on-premise as a dedicated WF-500 Appliance (https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/hardware/wf-500/wf-500-hardware-ref...).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!