About mivaldi

This is a duplicate of https://live.paloaltonetworks.com/t5/VirusTotal/False-positive-submission/m-p/236360#M765 ... View more

Reported this sample for manual verdict re-evaluation. ... View more

Jonathan,   If there are false positive alerts that means that there is a Palo Alto Networks customer experiencing this issue. If you see the VirusTotal report, you will see that the verdict for this sample by Palo Alto Networks is benign. The issue can be caused by a signature collision. In that case, please have the Palo Alto Networks customer open a case with our Support team, so we can work on investigating the signature collision, and see if we can find any way to have it resolved. ... View more

Thanks Brandon, commenting on my own post:   I have not, but if you think of it, it makes sense - most likely an optimization - Panorama doesn't need the list of IP's since it doesn't enforce Security Policies (traffic doesn't go through Panorama).   The reason why that may be wrong is that you should be able to define EDL exceptions in Panorama. ... View more

Mark, did you open a case with Support? We'd like to receive a DNSCrypt PCAP triggering the signature to provide it to our developers to have the signature improved. ... View more

By the time the firewall can compute the hash, the file already made its way through. You need the full file for hash computation. You would need the firewall to hold on to the file to hash it before delivery, and that would break downloads. The firewall is an in-line device, and not a proxy, so it is not currently possible. The hashing *can* be performed as an after the fact best-effort action, and it is what the firewall actually does to check verdicts and forward samples with/to WildFire.   An alternative is to manually extract a long enough hex stream of the file, and define custom signatures to detect them. That way you'd be able to use a Custom Vulnerability Protection signature to block specific files. You would have to define a custom signature per protocol (one for http, one for ftp, etc). Please review https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClOFCA0 for additional information. ... View more

You are referring to the options that pop up when you click on select Vulnerability signatures that do have a 'Pencil and Paper' icon at the left of the Threat Name entry.   These are special 'Combination' signatures, the way they work is you have a parent and a child signature. Some people refer to them as a witness (for the parent) and event (for the child) signatures.   The idea is that the event(child) based signature is tracking events that by themselves (as isolated events), are not malicious in nature - i.e., login attempts to an SSH server, however, if you see a big number of these events in a very short time, it can be an indication of a brute force attempt. The key concept is the time component. The witness(parent) signature is tracking the n-ocurrences of the event(child) in a specified time window.   Event(Child) signatures do not need to write entries to the Threat logs to be counted by Witness(Parent) signatures. This means that the Parent signature will count ocurrences of the Child signature, even if it is not logging to the Threat Logs (action allow).   The source or source-and-destination aggregation criteria refers to definition of what the witness is counting as events in a given time-window. Going back to our example, if the same source is attempting to log-in using SSH to multiple different destination IP's within the specified time window, and your aggregation criteria is only source, then these events will all count toward the trigger condition of the witness signature, however, if you define it as source-and-destination, you define additional granularity and you'd be instantiating multiple time-windows where the trigger condition that is counted is the n-number of instances where a single source goes to a *specific* destination.   You can read additional details in our "Creating custom application and threat signatures" document available at https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClOFCA0 (See Combination Signatures in Page 65).   There is also additional information on Brute Force signatures available at https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClmpCAC ... View more

Sinkholing a DNS query does not guarantee a followup IP connection, especially if the Spyware has embedded intelligence to distinguish a true public IP vs a dummy sinkhole IP. ... View more

There were changes made to signature 31313 in Content version 8068-5026. Please work with Support to have this False Positive resolved. ... View more

You are mixing up 'applications' with 'protocols'.   For example, we have multiple apps that are not named web-browsing, that use the HTTP protocol and for which we can provide AV scanning.   To give you an example, when you say "AV should be enabled to all security policy rules that allow traffic for Apps: HTTP, SMTP, IMAP, POP3, FTP, and SMB", you are saying that HTTP is an app, and that is incorrect. We do not have an http app, the app is web-browsing.   This mixup is common with customers as well. If we documented "AV should be enabled to all security policy rules that allow traffic which use decoders: HTTP, SMTP, IMAP, POP3, FTP, and SMB", then that would be accurate, but would create a lot of confussion. You would be asking customers to be able to know which apps use which decoders. ... View more

AV enforcement is per-protocol, and WF signatures are also configured separately per-protocol in the Antivirus profile. AV will process for Security Policies configured to use it.   Answering your question: "Why would AV be enabled for a security policy using app=FTP, if AV does not have a decoder for this app=FTP?" ... AV would not be enabled for FTP traffic matching the security policy if the associated AV profile is not set to enfoce AV signatures for the ftp protocol.   ... View more

0f8b93833f4c860d1b9817d3ef2cbaf8c3f6d488786cbefc9f8fb2a4157eb9f5 is showing clean for Palo Alto Networks. That doesn't give me an indication that your signer *is not* in the trusted list already. You can request the signer to be added if we come across a signed FP in the future. ... View more

Already did.   ... View more