05-14-2020 12:59 PM
Hi Team,
These are the below sign identified in our network and want to know the reason for this trigger.
Please provide the related application effected? Why are this signature identified and what the user is trying to access so that PAN blocked the traffic. Any additional information will be appreciated.
Virus/Win32.WGeneric.ajbsuc(341044866)
Virus/Win32.WGeneric.ajbecg(340897548)
Virus/Win32.WGeneric.aeqdlm(295866360)
05-14-2020 01:25 PM
The best way to investigate these would be to access the Threat Vault at https://threatvault.paloaltonetworks.com/
Search for the Threat ID's and find the SHA256 hashes of the samples tied to the signatures.
You can then use the SHA256 hashes to research the samples on the internet. A good place to begin that research is http://virustotal.com
If you believe the signatures are built based on WildFire false positives or potential Signature Collisions you can open a request with Support to investigate.
If you know for sure that these triggers are false positives, and they're interrupting critical business tasks, you can opt to create an exception in your Antivirus profile. You can see instructions at https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/threat-prevention/create-threat-exceptions
05-14-2020 01:25 PM
The best way to investigate these would be to access the Threat Vault at https://threatvault.paloaltonetworks.com/
Search for the Threat ID's and find the SHA256 hashes of the samples tied to the signatures.
You can then use the SHA256 hashes to research the samples on the internet. A good place to begin that research is http://virustotal.com
If you believe the signatures are built based on WildFire false positives or potential Signature Collisions you can open a request with Support to investigate.
If you know for sure that these triggers are false positives, and they're interrupting critical business tasks, you can opt to create an exception in your Antivirus profile. You can see instructions at https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/threat-prevention/create-threat-exceptions
05-14-2020 01:33 PM
Hi Mivaldi,
Appreciated the quick response, I have already tried earlier but don't have access to Threat Vault.
Can you please help me with screenshot/hash or any kind of export from the portal for below mentioned signature.
Signatures
05-14-2020 02:01 PM
|
Signature
|
Release
|
Hashes
|
|---|---|---|
|
Name: Virus/Win32.WGeneric.ajbsuc Unique Threat ID: 341044866 Create Time: 2020-04-08 19:03:39 (UTC) |
Threat ID: 2565506 Current Release: 3348 (2020-05-13 UTC) First Release: 3312 (2020-04-08 UTC) |
78487e9f4dcd78f24a8b863e5b4cf15b9a4fcb6a78f2a8477ad43fe5639e4a04 |
|
Signature
|
Release
|
Hashes
|
|---|---|---|
|
Name: Virus/Win32.WGeneric.ajbecg Unique Threat ID: 340897548 Create Time: 2020-04-07 20:22:17 (UTC) |
Threat ID: 2005534 Current Release: 3348 (2020-05-13 UTC) First Release: 3311 (2020-04-07 UTC) |
c39cb7067c3c5c22802bafe4d54b3365b1f24bab864ba6ba75c3e069d96d09b0 |
|
Signature
|
Release
|
Hashes
|
|---|---|---|
|
Name: Virus/Win32.WGeneric.aeqdlm Unique Threat ID: 295866360 Create Time: 2019-08-21 09:26:56 (UTC) |
Threat ID: 2636376 Current Release: 3348 (2020-05-13 UTC) First Release: 3079 (2019-08-22 UTC) |
2c96ca9abb21a87e0967de6ef78f76083f3917ecf2ba5ed69acd044582b0e3dc 9a2fcee13a376a99a0856c226bdce391f357a9ba766236accc4f74a02103a5ba 214f934a95dc68bf17aba4acd7f66babc692c544a1fa848e80eb7d4fc7c4e3c1 0cfdb09b489b7003577bd905a541b514a74232b2e4d3f51b0bf62998106e5fec |
05-14-2020 02:12 PM
Thanks for the support,
I tried searching the hash values on Open Threat Intel, including Virus Total: Hash value not in DB.
Is that possible to tell, the reason for this signature. Like user tried accessing the XYZ (onedrive.exe) what caused the alert.
05-14-2020 03:57 PM - edited 05-14-2020 03:58 PM
There should be a lot of information in correlated log entries.
At the very left of the threat log entry, you will see a magnifying glass icon. Click it and that will open the detailed log view. On the lower panel, you will see correlated log entries. You can see correlated traffic log entries, URL filtering log entries, and wildfire submissions as well as other possible entries. These other entries will exist if these additional features were properly configured to log an event.
05-14-2020 07:29 PM
Thanks for the input, However was not able to identify any of the correlated event in URL filtering and wildfire.
Just want to know the basis of these signature or the application/file/user activity to trigger this PAN signature.
Appreciated the support 🙂
05-15-2020 09:54 AM
Please open a Support case to have us take a closer look.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
