cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who rated this post

Community Team Member

Hi @J.Huchtktter ,

I checked the wildfire portal for that hash and noticed the behavioral summary is older than the latest verdict status change.

 

When the Behavioral summary shows an older date (July 7) but the Verdict status says Updated on a newer date (July 8), it usually means the sandbox didn't actually re-run the file. Instead, Palo Alto Networks' threat intelligence backend updated a global detection rule or flag on July 8 that retroactively applied to the behaviors recorded during that original July 7 session.

 

Essentially, a backend heuristic rule change overnight made WildFire look back at that specific July 7 behavior and decide, "Wait, we now classify that pattern as malware."

Because this is a core Microsoft Edge file, it confirms that a newly deployed backend rule is being overly aggressive and has caused a global false positive.

 

Please submit an Incorrect Verdict / False Positive appeal through the WildFire portal. When the research team looks at the submission, they will see that the newly updated rule accidentally snagged a signed Microsoft component and they will manually roll back/fix the signature.

 

In the meantime, you can whitelist or create an exception for this specific hash in XSIAM to keep your users from running into browser issues.

 

Hope this helps,

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

View solution in original post

Who rated this post