Zero Access question

Reply
Highlighted
Not applicable

Zero Access question

Hi,

I am new to this website, so I apologize if this is in the wrong location.

Can someone clarify for me what the ZeroAccess alert in the Palo Alto is triggering upon? How do I review the signature?

Thank you for you assistance.

Tags (2)
Highlighted
L4 Transporter

Depending on which ID it is giving you, you can look in the threat vault for a description:

https://threatvault.paloaltonetworks.com/

For example, here is a listing for the first ID (13298):

https://threatvault.paloaltonetworks.com/Home/ThreatDetail/13298

Highlighted
L6 Presenter

Hi Fred,

End user has no access to signatures. "ZeroAccess" is a category where Trojan Horse hides itself. PANW can verify each exe if proper policies are applied. And can detect Trojan hourse.

Provide me more specific detail query on "ZeroAccess Alert".

Regards,

Hardik Shah

Highlighted
Not applicable

This is the alert we are seeing.   I just want a better idea what it is triggering on.  We had another system which gave us many many false positive ZeroAccess alerts.  Before I start pulling computers for malware analysis, I want to find out what is causing this to trigger.

Thanks.

Name:ZeroAccess.Gen Command and Control Traffic
ID:13235
Description:  This signature detects ZeroAccess.Gen Command and Control Traffic. 

Highlighted
L6 Presenter

Hi Fred,

System is under botnet attach, please refer following link.

https://threatvault.paloaltonetworks.com/Home/ThreatDetail/13235

Let me know for additional query.

Regards,

Hardik Shah

Highlighted
L6 Presenter

Hi Fred,

13235 is a generic botnet detector. It is typically triggered with requests to known Command & Control (C&C) servers, hostnames, or IPs.  Please find more information.

https://threatvault.paloaltonetworks.com/Home/ThreatDetail/13235

A full AV scan of the affected machine would likely show results, as long as any associated malware has not disabled the AV scanner.

Regards,

Hardik Shah

Highlighted
Not applicable

I think this is a false positive.  I just spoke with the person whose computer this is and it was reimaged for zeroaccess over a month ago.  Yet the alerts are continuing.

I spoke with the original analyst on the case and he feels this alert is generating alerts on inbound traffic.  The Palo Alto screen shows that our computer is attacking, however upon packet review the inbound traffic is causing the alert.

Hshah do you work for PA?

Highlighted
L6 Presenter

Hi Fred,

In Threat log direction should be "server-to-client", if yes. Than it means attacker is on internet.

If you think its a false positive, than you might want to create exception for that. Let me know if you need any help with that.

Regards,

Hardik Shah

Highlighted
L4 Transporter

Fred,

sounds right.  Perhaps the system is still on client lists for the C&C servers so they are still attempting to communicate.  Does that system have it's own public IP?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!