05-03-2022 11:17 AM
Anyone else seeing a large number of threat alerts this morning for the new generic signatures added last night? Seeing dozens this morning coming from user document downloads from a trusted financial source. I haven't fully decrypted the data yet, but appears to be false positives. Anyone know exactly what all these new critical threat signatures are suppose to be targeting?
05-03-2022 01:26 PM
After collecting a bunch of data, it looks like all the 81845 signature hits have a single thing in common, a base64 encoded string of ASCII "2" characters in a row (in the middle of apparent binary data).
05-03-2022 03:38 PM
I extracted the packet dumps and compared across multiple different sites triggering the alert. The common string is a 622 byte JFIF v1.01 background image file with the "22222" string in it (more likely all pixels in a color channel set to the same value). The file seems to have a few anomalies, but I am not an expert on JFIF formatting. Nothing obviously wrong in the image and certainly not "PHP Webshell" code. The extracted JFIF file, by itself, triggers 81845 when passed thru the PA.
05-03-2022 05:13 PM
I am also seeing the same behavior on .aspx files to a selected website (prod/dev/test) flagging 81845.
05-03-2022 10:07 PM
I have been seeing false positives on 81845 too. I have been carrying out exchange to 365 migrations for a week now fine, but for nearly a day I have been having transfers failing and lots of alerts(several times a minute) from our PAN showing 81845 threats being triggered. Given that our MS Exchange definitely is not using PHP it should not be getting caught on this one.
When I stop migrations, the alerts stop.
So this threat definition probably needs some tweaking to cut down on the false positives.
05-04-2022 02:35 AM
Looks like its been updated from last content update
Applications and Threats Content Release Notes - Version 8565
Modified Anti-Spyware Signatures (1)
Severity ID Attack Name Category Default Action Change Minimum PAN-OS Version Maximum PAN-OS Version
critical 81845 Generic PHP Webshell File Detection webshell reset-both improved detection logic to address a possible fp issue 8.1.0
05-04-2022 05:33 AM
I also have this problem id 81845 (severity Critical) with user connections to the local web server on port 443 (web-browsing) and action reset-server.
05-04-2022 01:41 PM
I created an anti-spyware profile with an exception for 81845 and applied it to the necessary policies until this is corrected/fine tuned.
05-04-2022 01:49 PM
The 8565 update to Applications and Threats database has fixed the issue for me so far. My test file is no longer triggering the alert.
@Gareth-Doyle Has you PA applied the update yet?
05-04-2022 03:57 PM
The update fixed the multiple issues I had. Rolling back the custom AS policy now 🙂
05-04-2022 11:36 PM
I did a revert of Aplications and Threats to the previous version 8564
05-06-2022 02:02 PM
Latest Updates The signature 81845 has been revised to address the false positive issue and released on 05/03/2022 with the content update 8565.
This issue should be resolved if you update to content 8565 or higher.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
