Wildfire Malware detected miniwallet.bundle.js as Malware, VirusTotal does not list it

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Wildfire Malware detected miniwallet.bundle.js as Malware, VirusTotal does not list it

L0 Member

Hey

 

we are using Cortex XSIAM and have been getting alerts on miniwallet.bundle.js apparently during MS Edge updates.

From what I can see the Wildfire Verdict has changed yesterday. However, reading the report, I cannot explain why it is considered Malware. Googling also did not get me any further.

Most interestingly: On VirusTotal the corresponding has (miniwallet.bundle.js e1c8013b3c793dece95e5b9fc479325aff243052f1ca23e6de92ca473f3200d4) comes back clean.

I am a bit out of idea on what is going on here. 

Does anyone have any ideas on how to see why a WildFire verdict has changed?

Or what else to do to triage this?


1 REPLY 1

Community Team Member

Hi @J.Huchtktter ,

I checked the wildfire portal for that hash and noticed the behavioral summary is older than the latest verdict status change.

 

When the Behavioral summary shows an older date (July 7) but the Verdict status says Updated on a newer date (July 8), it usually means the sandbox didn't actually re-run the file. Instead, Palo Alto Networks' threat intelligence backend updated a global detection rule or flag on July 8 that retroactively applied to the behaviors recorded during that original July 7 session.

 

Essentially, a backend heuristic rule change overnight made WildFire look back at that specific July 7 behavior and decide, "Wait, we now classify that pattern as malware."

Because this is a core Microsoft Edge file, it confirms that a newly deployed backend rule is being overly aggressive and has caused a global false positive.

 

Please submit an Incorrect Verdict / False Positive appeal through the WildFire portal. When the research team looks at the submission, they will see that the newly updated rule accidentally snagged a signed Microsoft component and they will manually roll back/fix the signature.

 

In the meantime, you can whitelist or create an exception for this specific hash in XSIAM to keep your users from running into browser issues.

 

Hope this helps,

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
  • 107 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!