I am new to this website, so I apologize if this is in the wrong location.
Can someone clarify for me what the ZeroAccess alert in the Palo Alto is triggering upon? How do I review the signature?
Thank you for you assistance.
Depending on which ID it is giving you, you can look in the threat vault for a description:
For example, here is a listing for the first ID (13298):
End user has no access to signatures. "ZeroAccess" is a category where Trojan Horse hides itself. PANW can verify each exe if proper policies are applied. And can detect Trojan hourse.
Provide me more specific detail query on "ZeroAccess Alert".
This is the alert we are seeing. I just want a better idea what it is triggering on. We had another system which gave us many many false positive ZeroAccess alerts. Before I start pulling computers for malware analysis, I want to find out what is causing this to trigger.
|Name:||ZeroAccess.Gen Command and Control Traffic|
|Description:||This signature detects ZeroAccess.Gen Command and Control Traffic.|
System is under botnet attach, please refer following link.
Let me know for additional query.
13235 is a generic botnet detector. It is typically triggered with requests to known Command & Control (C&C) servers, hostnames, or IPs. Please find more information.
A full AV scan of the affected machine would likely show results, as long as any associated malware has not disabled the AV scanner.
I think this is a false positive. I just spoke with the person whose computer this is and it was reimaged for zeroaccess over a month ago. Yet the alerts are continuing.
I spoke with the original analyst on the case and he feels this alert is generating alerts on inbound traffic. The Palo Alto screen shows that our computer is attacking, however upon packet review the inbound traffic is causing the alert.
Hshah do you work for PA?
In Threat log direction should be "server-to-client", if yes. Than it means attacker is on internet.
If you think its a false positive, than you might want to create exception for that. Let me know if you need any help with that.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!