file getting blocked (false positive)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

file getting blocked (false positive)

L2 Linker

Can I get assistance on this false positive.

9a27f17d859d7f60a26030c7a0ef3698ffa0ff5ff4230963e52ab79a6a4dacdf

Virus/Win32.WGeneric.dyafjk

Unique Threat ID: 575312775
Create Time: 2023-03-15 02:43:51 (UTC)

P.S
1 accepted solution

Accepted Solutions

L4 Transporter

I have an answer from TAC that they are confident the file I have queried is malicious.  I still find that odd, but that's their assessment.

View solution in original post

9 REPLIES 9

L4 Transporter

I have been seeing this since 17th March on downloads of utorrent installer which appear to be legitimate

URL: llsw.download3.utorrent.com/3.6.0/utorrent.46738.installer.exe

I have raised this with our support partner.

Support Partner as in Palo Alto  (TAC) ?

P.S

It has been raised with TAC via our support partner.  I am not getting sensible answers yet from either.

L4 Transporter

I have an answer from TAC that they are confident the file I have queried is malicious.  I still find that odd, but that's their assessment.

L5 Sessionator

If you suspect that the verdict is incorrect, you can submit a verdict change request.

 

Reference:
- WildFire report incorrect verdict (virus false positive or false negative)
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm7KCAS

That is interesting.  I submitted the URL of the file to wildfire and that decided it was benign.  Do you know if that automatically reclassifies it, or is that just an assessment for information?

The WildFire verdict of the sample (9a27f17d859d7f60a26030c7a0ef3698ffa0ff5ff4230963e52ab79a6a4dacdf) is still "Malware".
Please go into the report itself and check the verdict and the hash value.

If the hash value is different, you may want to submit the sample rather than the URL.

L4 Transporter

Thank you for pointing that out.  I find it odd that on one screen it says Benign, but if you click for details it says it is malicious.  The hash does match so it seems they do believe it's bad so blocking it is the right thing to do. 

 

Thanks again

Ok, thanks for checking the report.

 

By the way, please note that submitting the same sample or the URL of the same sample doesn't trigger the reclassification (especially, when it's uploaded to the same regional cloud), e.g. the WildFire just reuses the existing result.

 

If you submit a verdict change request, then the sample will be re-analyzed by the Palo Alto Networks researcher/engineer manually.

  • 1 accepted solution
  • 3743 Views
  • 9 replies
  • 0 Likes
  • 63 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!