Virus alerts on odd files in July 2023

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Virus alerts on odd files in July 2023

L0 Member

Our SIEM has received several virus alerts from the Palo firewall since mid July.  The AV or Wildfire has flagged Adobe and Microsoft files. And now a web site for for a digital transformation and process company smartupload.sutherlandglobal.com.  Alerts include:

 

Virus/Win32.WGeneric.dzuhnx(#s removed) was detected at Microsoft.VisualStudio.Web.Scaffolding.vsix

Virus/Win32.pioneer.uzd(#s removed) was detected at VulcanMessage5.dll

Dropper/Win32.fiy.clu(#s removed) was detected at AGMService.exe

 

Has anyone else seen this odd behaviour lately?

2 REPLIES 2

L6 Presenter

Yes, have seen the same for the last two. Appears to be a false positive which was finally removed. 

 

Threat ID 593953851 - Dropper/Win32.fiy.clu was entered into the AV database on or about 7/18. On 7/19 it started constantly flagging the Adobe Photoshop update process trying to download AGMService.exe. The AV database entry completely disappeared on 7/20 like it never existed...

 

This was then followed by Threat ID 595725048 - Virus/Win32.mikcer.flsd which was entered into the AV database sometime on or before 7/20. It flagged the same AGMService.exe file from Adobe. The AV database entry was updated at some point around 7/21 and stopped detecting the Adobe file, but the database doesn't give the initial release date... just a 7/25 current release update.

 

Threat ID 595101261 - Virus/Win32.pioneer.uzd was entered into the Wildfire database on 7/18 and the main AV database on 7/20 (I think). On 7/21 it started constantly flagging Adobe Photoshop update processes trying to download VulcanMessage5.dll file. The Wildfire database entry is no longer active (as of yesterday?), the AV database entry has completely disappeared yesterday like it never existed.

 

Overall... yeah not happy with PA as they keep having these false positive database entries that have all their information wiped like they never happened, instead of showing the true initial release and withdrawal dates....

L0 Member

False Positives: Sometimes, security tools can mistakenly flag legitimate files as malicious. Given the nature of the flagged files (associated with Microsoft and Adobe), this is a possibility. Infected Source: There's a chance you've downloaded the software from a non-official or compromised source. Outdated Signatures: The threat database or signatures of your security tools might be outdated, leading to incorrect flagging. I haven't personally seen these specific flags recently, but I would advise: Ensure you're downloading software and updates only from official sources. Update your security tools and their signatures. Check with the vendors (Adobe, Microsoft, Sutherland Global) for any known issues. If you're part of a larger organization or network, reach out on security forums or groups related to Palo Alto Networks for shared experiences.

  • 2812 Views
  • 2 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!