03-19-2015 12:49 PM
Hi,
I am new to this website, so I apologize if this is in the wrong location.
Can someone clarify for me what the ZeroAccess alert in the Palo Alto is triggering upon? How do I review the signature?
Thank you for you assistance.
03-19-2015 01:06 PM
Depending on which ID it is giving you, you can look in the threat vault for a description:
https://threatvault.paloaltonetworks.com/
For example, here is a listing for the first ID (13298):
https://threatvault.paloaltonetworks.com/Home/ThreatDetail/13298
03-19-2015 01:22 PM
Hi Fred,
End user has no access to signatures. "ZeroAccess" is a category where Trojan Horse hides itself. PANW can verify each exe if proper policies are applied. And can detect Trojan hourse.
Provide me more specific detail query on "ZeroAccess Alert".
Regards,
Hardik Shah
03-23-2015 10:06 AM
This is the alert we are seeing. I just want a better idea what it is triggering on. We had another system which gave us many many false positive ZeroAccess alerts. Before I start pulling computers for malware analysis, I want to find out what is causing this to trigger.
Thanks.
| Name: | ZeroAccess.Gen Command and Control Traffic |
| ID: | 13235 |
| Description: | This signature detects ZeroAccess.Gen Command and Control Traffic. |
03-23-2015 10:13 AM
Hi Fred,
System is under botnet attach, please refer following link.
https://threatvault.paloaltonetworks.com/Home/ThreatDetail/13235
Let me know for additional query.
Regards,
Hardik Shah
03-23-2015 10:17 AM
Hi Fred,
13235 is a generic botnet detector. It is typically triggered with requests to known Command & Control (C&C) servers, hostnames, or IPs. Please find more information.
https://threatvault.paloaltonetworks.com/Home/ThreatDetail/13235
A full AV scan of the affected machine would likely show results, as long as any associated malware has not disabled the AV scanner.
Regards,
Hardik Shah
03-23-2015 10:59 AM
I think this is a false positive. I just spoke with the person whose computer this is and it was reimaged for zeroaccess over a month ago. Yet the alerts are continuing.
I spoke with the original analyst on the case and he feels this alert is generating alerts on inbound traffic. The Palo Alto screen shows that our computer is attacking, however upon packet review the inbound traffic is causing the alert.
Hshah do you work for PA?
03-23-2015 11:12 AM
Hi Fred,
In Threat log direction should be "server-to-client", if yes. Than it means attacker is on internet.
If you think its a false positive, than you might want to create exception for that. Let me know if you need any help with that.
Regards,
Hardik Shah
03-23-2015 12:06 PM
Fred,
sounds right. Perhaps the system is still on client lists for the C&C servers so they are still attempting to communicate. Does that system have it's own public IP?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
