- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-20-2023 12:34 AM
Can I get assistance on this false positive.
9a27f17d859d7f60a26030c7a0ef3698ffa0ff5ff4230963e52ab79a6a4dacdf |
Virus/Win32.WGeneric.dyafjk
Unique Threat ID: 575312775
Create Time: 2023-03-15 02:43:51 (UTC)
04-20-2023 04:51 AM
I have an answer from TAC that they are confident the file I have queried is malicious. I still find that odd, but that's their assessment.
04-20-2023 01:08 AM
I have been seeing this since 17th March on downloads of utorrent installer which appear to be legitimate
URL: llsw.download3.utorrent.com/3.6.0/utorrent.46738.installer.exe
I have raised this with our support partner.
04-20-2023 02:51 AM
Support Partner as in Palo Alto (TAC) ?
04-20-2023 04:32 AM
It has been raised with TAC via our support partner. I am not getting sensible answers yet from either.
04-20-2023 04:51 AM
I have an answer from TAC that they are confident the file I have queried is malicious. I still find that odd, but that's their assessment.
04-20-2023 05:40 PM
If you suspect that the verdict is incorrect, you can submit a verdict change request.
Reference:
- WildFire report incorrect verdict (virus false positive or false negative)
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm7KCAS
04-21-2023 01:32 AM
That is interesting. I submitted the URL of the file to wildfire and that decided it was benign. Do you know if that automatically reclassifies it, or is that just an assessment for information?
04-21-2023 02:12 AM - edited 04-23-2023 06:22 PM
The WildFire verdict of the sample (9a27f17d859d7f60a26030c7a0ef3698ffa0ff5ff4230963e52ab79a6a4dacdf) is still "Malware".
Please go into the report itself and check the verdict and the hash value.
If the hash value is different, you may want to submit the sample rather than the URL.
04-21-2023 06:11 AM
Thank you for pointing that out. I find it odd that on one screen it says Benign, but if you click for details it says it is malicious. The hash does match so it seems they do believe it's bad so blocking it is the right thing to do.
Thanks again
04-23-2023 06:28 PM
Ok, thanks for checking the report.
By the way, please note that submitting the same sample or the URL of the same sample doesn't trigger the reclassification (especially, when it's uploaded to the same regional cloud), e.g. the WildFire just reuses the existing result.
If you submit a verdict change request, then the sample will be re-analyzed by the Palo Alto Networks researcher/engineer manually.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!