About ymiyashita

Most likely, it's a false positive. I'd suggest to open a support case to get it corrected and to find out the cause.     Btw, you may want to use the following discussion from the next time onwards, since 576037320 is not a custom signature. LIVEcommunity > Discussions > Cloud Delivered Security Services > Threat & Vulnerability ... View more

I suggest opening a support case. Whether it's False positive or True positive really depends on the signature (the unique threat ID is necessary for further investigation). ... View more

I would suggest to find the sample which is being blocked by the signature and check the verdict (you can upload it to the WildFire cloud to see the verdict). If it's benign, you can set an exception to allow the file temporarily as needed. It is called 'signature collision'. The signature was created for a bunch of malware samples. We should keep the signature enabled instead of disabling it. https://threatvault.paloaltonetworks.com/?query=479496371&type=   References: - Manually Upload Files to the WildFire Portal https://docs.paloaltonetworks.com/wildfire/9-1/wildfire-admin/submit-files-for-wildfire-analysis/manually-upload-files-to-the-wildfire-portal - What is an Antivirus collision in the case of a False Positive, and how can we deal with it? https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClWICA0 - How to Use Anti-Spyware, Vulnerability and Antivirus Exceptions to Block or Allow Threats https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcrCAC       ... View more

PA firewall is not the one which is affected. Palo Alto Networks released a signature (TID: 93319) to mitigate the issue in the Microsoft Exchange Server (CVE-2022-41080).   Reference: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41080   ... View more

Both PAN-202288 and PAN-206672 do not appear to be related to "Threat & Vulnerability". You may want to post it to "General Topics" or open a support case with Palo Alto Networks. ... View more

A signature was already released. It's a vulnerability protection signature (not an AV signature). https://threatvault.paloaltonetworks.com/?query=CVE-2022-2884&type=   Palo Alto Networks Firewall is not using GitLab, thus not affected by CVE-2022-2884. ... View more

Currently, we are evaluating the potential coverage for CVE-2022-36067. The time frame of the signature release really depends on the each vulnerabilities. For a signature coverage request in general, you may want to open a support case (from the next time onwards) so that Palo Alto Networks can know how many customers are requesting for the coverage. ... View more

Here's what it means. Threat-ID 8725: This event detects and strips the TCP Fast Open option (and data payload, if any) from the TCP SYN or SYN-ACK packet during a TCP three-way handshake.   It may disrupt applications that use TCP Fast Open. There's no security impact on the device.   As already mentioned above, there's no exception option for 8725 in the vulnerability profile. Reference: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wkrWCAQ ... View more

Hi @JiaXiang,   Regarding this particular vulnerability (CVE-2022-36067), Palo Alto Networks is still researching on it. At this time, there's no ETA. ... View more

Currently, Palo Alto Networks is researching on the vulnerability. There's no signature available yet.   For your reference: "A vulnerability/CVE is released; when will the vulnerability signature[IPS] be released? Why do some CVEs not have vulnerability signatures? What is default action?" https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HAOnCAO   When there's an update, I can share the status here. ... View more

Hi @Adrian_Jensen, Can it be reproduced at will? If so, I'd suggest collecting a threat pcap on the firewall (or at least something that shows the POST data) and then open a case with Palo Alto Networks support.   Reference: HOW TO ENABLE THREAT PACKET CAPTURE FOR A SPECIFIC ANTI-SPYWARE SIGNATURE? https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLMfCAO     Hi @02Harris, Are you seeing the issue with the exact same URL (hxxps://www.riddle[.]com/ws/connect/5)? ... View more