Depending on which ID it is giving you, you can look in the threat vault for a description:
For example, here is a listing for the first ID (13298):
This is the alert we are seeing. I just want a better idea what it is triggering on. We had another system which gave us many many false positive ZeroAccess alerts. Before I start pulling computers for malware analysis, I want to find out what is causing this to trigger.
|Name:||ZeroAccess.Gen Command and Control Traffic|
|Description:||This signature detects ZeroAccess.Gen Command and Control Traffic.|
13235 is a generic botnet detector. It is typically triggered with requests to known Command & Control (C&C) servers, hostnames, or IPs. Please find more information.
A full AV scan of the affected machine would likely show results, as long as any associated malware has not disabled the AV scanner.
I think this is a false positive. I just spoke with the person whose computer this is and it was reimaged for zeroaccess over a month ago. Yet the alerts are continuing.
I spoke with the original analyst on the case and he feels this alert is generating alerts on inbound traffic. The Palo Alto screen shows that our computer is attacking, however upon packet review the inbound traffic is causing the alert.
Hshah do you work for PA?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!