07-26-2023 09:32 AM
Our SIEM has received several virus alerts from the Palo firewall since mid July. The AV or Wildfire has flagged Adobe and Microsoft files. And now a web site for for a digital transformation and process company smartupload.sutherlandglobal.com. Alerts include:
Virus/Win32.WGeneric.dzuhnx(#s removed) was detected at Microsoft.VisualStudio.Web.Scaffolding.vsix
Virus/Win32.pioneer.uzd(#s removed) was detected at VulcanMessage5.dll
Dropper/Win32.fiy.clu(#s removed) was detected at AGMService.exe
Has anyone else seen this odd behaviour lately?
07-26-2023 11:42 AM
Yes, have seen the same for the last two. Appears to be a false positive which was finally removed.
Threat ID 593953851 - Dropper/Win32.fiy.clu was entered into the AV database on or about 7/18. On 7/19 it started constantly flagging the Adobe Photoshop update process trying to download AGMService.exe. The AV database entry completely disappeared on 7/20 like it never existed...
This was then followed by Threat ID 595725048 - Virus/Win32.mikcer.flsd which was entered into the AV database sometime on or before 7/20. It flagged the same AGMService.exe file from Adobe. The AV database entry was updated at some point around 7/21 and stopped detecting the Adobe file, but the database doesn't give the initial release date... just a 7/25 current release update.
Threat ID 595101261 - Virus/Win32.pioneer.uzd was entered into the Wildfire database on 7/18 and the main AV database on 7/20 (I think). On 7/21 it started constantly flagging Adobe Photoshop update processes trying to download VulcanMessage5.dll file. The Wildfire database entry is no longer active (as of yesterday?), the AV database entry has completely disappeared yesterday like it never existed.
Overall... yeah not happy with PA as they keep having these false positive database entries that have all their information wiped like they never happened, instead of showing the true initial release and withdrawal dates....
08-20-2023 10:54 PM
False Positives: Sometimes, security tools can mistakenly flag legitimate files as malicious. Given the nature of the flagged files (associated with Microsoft and Adobe), this is a possibility. Infected Source: There's a chance you've downloaded the software from a non-official or compromised source. Outdated Signatures: The threat database or signatures of your security tools might be outdated, leading to incorrect flagging. I haven't personally seen these specific flags recently, but I would advise: Ensure you're downloading software and updates only from official sources. Update your security tools and their signatures. Check with the vendors (Adobe, Microsoft, Sutherland Global) for any known issues. If you're part of a larger organization or network, reach out on security forums or groups related to Palo Alto Networks for shared experiences.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
