ThreatID 81845 - Generic PHP Webshell File Detection false positives

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

ThreatID 81845 - Generic PHP Webshell File Detection false positives

L6 Presenter

Anyone else seeing a large number of threat alerts this morning for the new generic signatures added last night? Seeing dozens this morning coming from user document downloads from a trusted financial source. I haven't fully decrypted the data yet, but appears to be false positives. Anyone know exactly what all these new critical threat signatures are suppose to be targeting?

11 REPLIES 11

L6 Presenter

After collecting a bunch of data, it looks like all the 81845 signature hits have a single thing in common, a base64 encoded string of ASCII "2" characters in a row (in the middle of apparent binary data).

L6 Presenter

I extracted the packet dumps and compared across multiple different sites triggering the alert. The common string is a 622 byte JFIF v1.01 background image file with the "22222" string in it (more likely all pixels in a color channel set to the same value). The file seems to have a few anomalies, but I am not an expert on JFIF formatting. Nothing obviously wrong in the image and certainly not "PHP Webshell" code. The extracted JFIF file, by itself, triggers 81845 when passed thru the PA.

L1 Bithead

I am also seeing the same behavior on .aspx files to a selected website (prod/dev/test) flagging 81845.

 

 

 

L0 Member

I have been seeing false positives on 81845 too. I have been carrying out exchange to 365 migrations for a week now fine, but for nearly a day I have been having transfers failing and lots of alerts(several times a minute) from our PAN showing 81845 threats being triggered. Given that our MS Exchange definitely is not using PHP it should not be getting caught on this one.
When I stop migrations, the alerts stop.

So this threat definition probably needs some tweaking to cut down on the false positives.

L1 Bithead

Looks like its been updated from last content update

 

Applications and Threats Content Release Notes - Version 8565

 

Modified Anti-Spyware Signatures (1)
Severity ID Attack Name Category Default Action Change Minimum PAN-OS Version Maximum PAN-OS Version
critical 81845 Generic PHP Webshell File Detection webshell reset-both improved detection logic to address a possible fp issue 8.1.0

L1 Bithead

I also have this problem id 81845 (severity Critical) with user connections to the local web server on port 443 (web-browsing) and action reset-server.

L2 Linker

I created an anti-spyware profile with an exception for 81845 and applied it to the necessary policies until this is corrected/fine tuned.

L6 Presenter

The 8565 update to Applications and Threats database has fixed the issue for me so far. My test file is no longer triggering the alert.

 

@Gareth-Doyle Has you PA applied the update yet?

L1 Bithead

The update fixed the multiple issues I had. Rolling back the custom AS policy now 🙂

I did a revert of Aplications and Threats to the previous version 8564

L5 Sessionator

Latest Updates The signature 81845 has been revised to address the false positive issue and released on 05/03/2022 with the content update 8565.
This issue should be resolved if you update to content 8565 or higher. 

 

  • 7652 Views
  • 11 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!