Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Malicious traffic blocked by PAN : Virus/Win32.WGeneric.ajbecg(340897548)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Malicious traffic blocked by PAN : Virus/Win32.WGeneric.ajbecg(340897548)

L0 Member

Hi Team,

These are the below sign identified in our network and want to know the reason for this trigger.

Please provide the related application effected? Why are this signature identified and what the user is trying to access so that PAN blocked the traffic. Any additional information will be appreciated. 

 

Virus/Win32.WGeneric.ajbsuc(341044866)

Virus/Win32.WGeneric.ajbecg(340897548)

Virus/Win32.WGeneric.aeqdlm(295866360)

 

1 accepted solution

Accepted Solutions

L7 Applicator

The best way to investigate these would be to access the Threat Vault at https://threatvault.paloaltonetworks.com/

Search for the Threat ID's and find the SHA256 hashes of the samples tied to the signatures.

You can then use the SHA256 hashes to research the samples on the internet. A good place to begin that research is http://virustotal.com

 

If you believe the signatures are built based on WildFire false positives or potential Signature Collisions you can open a request with Support to investigate.

 

If you know for sure that these triggers are false positives, and they're interrupting critical business tasks, you can opt to create an exception in your Antivirus profile. You can see instructions at https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/threat-prevention/create-threat-exceptions

View solution in original post

7 REPLIES 7

L7 Applicator

The best way to investigate these would be to access the Threat Vault at https://threatvault.paloaltonetworks.com/

Search for the Threat ID's and find the SHA256 hashes of the samples tied to the signatures.

You can then use the SHA256 hashes to research the samples on the internet. A good place to begin that research is http://virustotal.com

 

If you believe the signatures are built based on WildFire false positives or potential Signature Collisions you can open a request with Support to investigate.

 

If you know for sure that these triggers are false positives, and they're interrupting critical business tasks, you can opt to create an exception in your Antivirus profile. You can see instructions at https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/threat-prevention/create-threat-exceptions

Hi Mivaldi,

Appreciated the quick response, I have already tried earlier but don't have access to Threat Vault.

Can you please help me with screenshot/hash or any kind of export from the portal for below mentioned signature. 

Signatures

Virus/Win32.WGeneric.ajbsuc(341044866)
Virus/Win32.WGeneric.ajbecg(340897548)
Virus/Win32.WGeneric.aeqdlm(295866360)
That will be great help for my investigation.
 
 

 

Signature
 
Release
 
Hashes
 

Name: Virus/Win32.WGeneric.ajbsuc

Unique Threat ID: 341044866

Create Time: 2020-04-08 19:03:39 (UTC)

Threat ID: 2565506

Current Release: 3348 (2020-05-13 UTC)

First Release: 3312 (2020-04-08 UTC)

78487e9f4dcd78f24a8b863e5b4cf15b9a4fcb6a78f2a8477ad43fe5639e4a04

 

Signature
 
Release
 
Hashes
 

Name: Virus/Win32.WGeneric.ajbecg

Unique Threat ID: 340897548

Create Time: 2020-04-07 20:22:17 (UTC)

Threat ID: 2005534

Current Release: 3348 (2020-05-13 UTC)

First Release: 3311 (2020-04-07 UTC)

c39cb7067c3c5c22802bafe4d54b3365b1f24bab864ba6ba75c3e069d96d09b0

 

Signature
 
Release
 
Hashes
 

Name: Virus/Win32.WGeneric.aeqdlm

Unique Threat ID: 295866360

Create Time: 2019-08-21 09:26:56 (UTC)

Threat ID: 2636376

Current Release: 3348 (2020-05-13 UTC)

First Release: 3079 (2019-08-22 UTC)

2c96ca9abb21a87e0967de6ef78f76083f3917ecf2ba5ed69acd044582b0e3dc

9a2fcee13a376a99a0856c226bdce391f357a9ba766236accc4f74a02103a5ba

214f934a95dc68bf17aba4acd7f66babc692c544a1fa848e80eb7d4fc7c4e3c1

0cfdb09b489b7003577bd905a541b514a74232b2e4d3f51b0bf62998106e5fec

Thanks for the support,

 

I tried searching the hash values on Open Threat Intel, including Virus Total: Hash value not in DB.

Is that possible to tell, the reason for this signature. Like user tried accessing the XYZ (onedrive.exe) what caused the alert.

There should be a lot of information in correlated log entries.

At the very left of the threat log entry, you will see a magnifying glass icon. Click it and that will open the detailed log view. On the lower panel, you will see correlated log entries. You can see correlated traffic log entries, URL filtering log entries, and wildfire submissions as well as other possible entries. These other entries will exist if these additional features were properly configured to log an event.

Thanks for the input, However was not able to identify any of the correlated event in URL filtering and wildfire.

Just want to know the basis of these signature or the application/file/user activity to trigger this PAN signature.

 

Appreciated the support 🙂

Please open a Support case to have us take a closer look.

  • 1 accepted solution
  • 24787 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!