Anyone else seeing a large number of threat alerts this morning for the new generic signatures added last night? Seeing dozens this morning coming from user document downloads from a trusted financial source. I haven't fully decrypted the data yet, but appears to be false positives. Anyone know exactly what all these new critical threat signatures are suppose to be targeting?
I extracted the packet dumps and compared across multiple different sites triggering the alert. The common string is a 622 byte JFIF v1.01 background image file with the "22222" string in it (more likely all pixels in a color channel set to the same value). The file seems to have a few anomalies, but I am not an expert on JFIF formatting. Nothing obviously wrong in the image and certainly not "PHP Webshell" code. The extracted JFIF file, by itself, triggers 81845 when passed thru the PA.
I have been seeing false positives on 81845 too. I have been carrying out exchange to 365 migrations for a week now fine, but for nearly a day I have been having transfers failing and lots of alerts(several times a minute) from our PAN showing 81845 threats being triggered. Given that our MS Exchange definitely is not using PHP it should not be getting caught on this one.
When I stop migrations, the alerts stop.
So this threat definition probably needs some tweaking to cut down on the false positives.
Looks like its been updated from last content update
Applications and Threats Content Release Notes - Version 8565
Modified Anti-Spyware Signatures (1)
Severity ID Attack Name Category Default Action Change Minimum PAN-OS Version Maximum PAN-OS Version
critical 81845 Generic PHP Webshell File Detection webshell reset-both improved detection logic to address a possible fp issue 8.1.0
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!