- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
09-03-2019 04:31 AM
09-03-2019 11:09 AM
Good Day
I looked at the Threat Vault from PANW, and do not see any false postive messages.
What was the virus signature name and ID that you saw.
How did you confirm that this .dll did NOT have a true positive virus attached to it?
Did you only rely on your endpoint AV not flagging it or quarating this file?
Please advise, so we can help you.
09-03-2019 10:35 PM
Greetings & Good Day To You Too ...
This is the ID & Virus Description
Threat ID : 268424925
Threat Name : Virus/Win32.WGeneric.aavcql
We tried in our corporate AV which is Symantec and it showed file as clean.
Would appreciate inputs from you.
09-05-2019 04:09 PM
Howdy again.
As I thought... how do you know that the Symantec had the most current signatures available to it.
The signature you provided, I went to the Threat Database and found the hash for the signature
44e0fa6a16669f1ed7ae4ea7bb0ac2100f67faf1ab6d38a11d47b70eba205766
Name: Virus/Win32.WGeneric.aavcql
Unique Threat ID: 268424925
Create Time: 2019-05-01 20:42:43 (UTC)
When I goto Virus Total, that specific hash cannot be found.
It has been documented that Wildfire can find Malware hours/days/weeks before the other AV vendors see it.
Now, I am not suggesting either way a false postive or not.
From my (albeit layman) perspective, your AV did not find match a known AV signature
Are you able to confirm that your AV vendor has a signature for the hash above?
So, if you AV is looking for an signature that is not in its database, does that imply that a new zero day malware could not evade detection? If that is true... then can you provide validation that the file is not, malware.
Absence of a response does not mean it is safe... it means there was no comparision... so still a gray area.
Just my thoughts. You can open a ticket with TAC... eitherwise, we may be at an impasse. I simply do not know....
What do you suggest we do?
09-11-2019 05:35 AM
Hello ...
I forwarded your email to my colleague who did the Hash lookup and he also found nothing threat related.
He also said its an OS update Win 10 file from Microsoft.
For the time being i allowed it but i am not sure should i keep it excluded.
😕 ?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!