This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

About mivaldi

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
mivaldi
‎05-07-2026
since ‎04-03-2014
L7 Applicator
User Activity
User Profile
Latest posts by mivaldi
View All
User Badges
Community Statistics
Member Since ‎04-03-2014 01:35 PM
Date Last Visited ‎05-07-2026 10:39 AM
Posts 746
Total Likes Received 163

Re: Mass unsubscribe

by in Advanced Threat Prevention Discussions
‎02-20-2018 03:48 PM
‎02-20-2018 03:48 PM
The problem may not be that it could have been blacklisted, but instead, it hasn't been whitelisted. It's possible the Palo Alto Networks firewall is extracting the elink and following it to test whether it's a safe link. The sole fact that it's following the link to test it is causing the unsubs. You should look into whitelisting the domain so that the firewalls' won't automatically follow your unsubs links. You can explore this option with Support. ... View more

Re: IP blcoking on ip scan

by in Advanced Threat Prevention Discussions
‎02-14-2018 03:08 PM
‎02-14-2018 03:08 PM
Depending on how the scan was performed, it could have also triggered Host Sweep, TCP Port Scan or UDP Port Scan Reconnaissance protections in Zone Protection. Check the Threat Logs for any entries related to type (if i remember correctly) 'scan'.   If the activity triggered a Network Flood protection you would find Threat Log entries with log type 'flood'. ... View more

Re: False positive removal request-generic.ml

by in VirusTotal
‎02-14-2018 02:58 PM
‎02-14-2018 02:58 PM
We can whitelist a signer. Are these samples digitally signed? ... View more

Re: Dynamic IP List import now failed

by in Advanced Threat Prevention Discussions
‎02-07-2018 02:06 PM
‎02-07-2018 02:06 PM
The recommendation is to use EDL's in two separate rules. One to cover connections going out to the bad IP's One to cover connections coming from the bad IP's. ... View more

Re: How to block Crypto Miner (javascript)

by in Advanced Threat Prevention Discussions
‎02-07-2018 10:27 AM
1 Kudo
‎02-07-2018 10:27 AM
1 Kudo
Sinkhole is meant to discover infected hosts when the only thing the firewall sees is queries sourced from an internal DNS server. (Internal DNS server obscuring real source IP's of hosts querying for malicious domains). The idea is that infected hosts may carry out a subsequent connection after resolving a malicious domain, and these will initiate new traffic to the *sinkhole ip* - therefore you would use the traffic logs to see which hosts are attempting to initiate traffic to the *sinkhole ip* (and discover which hosts are infected). If that's not your topology, then it's better to block.   By the way, you can also set an EDL of type Domain to action 'sinkhole' in the Anti-Spyware profile. ... View more

Re: Threat ID 39341 - Metasploit Windows Meterpreter Reverse HTTPS Detection

by in Advanced Threat Prevention Discussions
‎02-05-2018 01:43 PM
1 Kudo
‎02-05-2018 01:43 PM
1 Kudo
The signature is based off clear-text of the actual 'reverse https tool' payload being transferred over the wire. If the tool is transferred using HTTPS then SSL Decryption should take place before-hand for the IPS engine to pattern-match with this signature. ... View more

Re: Palo Alto not flagging dangerous/malicious IP addresses as such?

by in Advanced Threat Prevention Discussions
‎02-05-2018 01:22 PM
1 Kudo
‎02-05-2018 01:22 PM
1 Kudo
IP addresses that are typically associated with malicious activity tend to be ephemeral since the devices engaging in C2 are often times benign devices that have been compromised.   URL Categorization is for websites, and it's limited to HTTP traffic, that's why you would see an insufficient-content categorization.   IP Addresses in the pre-build EDL's (High-risk, and Known-malicious), are exhaustably manually vetted to make sure they are not ephemeral benign compromised hosts.   Instead of creating IOC's based on IP's, we are instead interested in identifying traffic by its patterns, so that if the C2 moves to a different IP, the signature continues to be useful, therefore, we would recommend to engage support, and present with a packet capture of C2 traffic, so that we can build a signature based on traffic patterns - instead of destination IP's. ... View more

Re: False Positive Report generic.ml

by in VirusTotal
‎01-29-2018 10:50 AM
‎01-29-2018 10:50 AM
9459a48553450ca7101437e14d36fc1b04cb872afd430131645d21cfdea3dece's verdict has been changed to Benign. The associated signatures will be removed with the next release of the Antivirus database. ... View more

Re: False Positive Report generic.ml

by in VirusTotal
‎01-29-2018 10:27 AM
‎01-29-2018 10:27 AM
I submitted 9459a48553450ca7101437e14d36fc1b04cb872afd430131645d21cfdea3dece for FP analysis ... View more

Re: MTGAInstaller.exe

by in VirusTotal
‎01-25-2018 10:24 AM
‎01-25-2018 10:24 AM
The verdict has been updated to grayware and the associated signature has been disabled. The reason for the grayware verdict is that the sample downloads an unverified .msi package. ... View more

Re: MTGAInstaller.exe

by in VirusTotal
‎01-24-2018 02:10 PM
‎01-24-2018 02:10 PM
Thank you. The sample was submitted for FP analysis. ... View more

Re: Block all countries except two - US and India

by in Advanced Threat Prevention Discussions
‎01-22-2018 05:12 PM
2 Kudos
‎01-22-2018 05:12 PM
2 Kudos
You have a couple alternatives.   One is to use two (or three) Security Policies, The first one allowing all traffic from (and/or a second rule for trafic *to*) US and India Regions, the next rule listed right after these rules, blocking destination any.   The second option is to use the Negate option. You would configure a Deny rule, and add US and India, then in the Source or Destination Address (depending on which direction of sessions you want to block, you may need to use separate rules for either direction) use the Negate checkbox, which will say, Deny everything 'except' these two Regions.   #1 Pros: Configuration is obvious to anyone reading it, especially if you need to add security profiles in the Actions tab. #1 Cons: You need two (or three, to cover sessions in either direction) rules   #2 Pros: You need only one rule (or two, to cover sessions in either direction) #2 Cons: Configuration may look awkward to someone who doesn't understand what the Negate option does, and it's also counter-intuitive to see Security Profiles configured in a Deny policy. ... View more

Re: Testing 8.0 Credential phishing prevention

by in General Topics
‎01-11-2018 02:52 PM
‎01-11-2018 02:52 PM
I suggest you create a bogus user with a bogus password and test it. ... View more

Re: Command & Control or Just Ads?

by in Advanced Threat Prevention Discussions
‎01-11-2018 11:05 AM
‎01-11-2018 11:05 AM
Open a case with Palo Alto Networks Support to analyze whether these are FP's. If these are indeed Ads and not Malware, then the signatures should be disabled. ... View more

Re: False positive removal request (generic.ml)

by in VirusTotal
‎01-09-2018 11:31 AM
‎01-09-2018 11:31 AM
You had to wait for the update, it's showing clean now. If I understood the update correctly from our analysts, the signer has been added to the trusted signer list, but I don't have a way to verify that at this time. If you observe a new FP, please make sure to request the signer be added to the trusted list to prevent FP's from reocurring. ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎05-07-2026 10:39 AM
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks