False Positive Submission: 7zip installer

Reply
Highlighted
L1 Bithead

False Positive Submission: 7zip installer

Hi There

 

The following is being detected as a virus, and since it's a reputable source, it's probably a false positive. VirusTotal detects no threat:

 

Virus/Win32.WGeneric.nnpwy(188234211)
http://www.7-zip.org/a/7z1602-x64.exe

 

https://www.virustotal.com/en/url/40719e870a1df9806d7a856f4dcf115b15c867c5dc4b8057ccfd7d59601df4df/a...

 

Thanks

Highlighted
L1 Bithead

Have I put this in the correct place?

Highlighted
L7 Applicator

@puppetjt

 

The Virus Total link you submitted is for the URL of the installer, not for the file.

The file is deemed Benign by WildFire.

 

The right sha256 for the sample is 

f1601b09cd0c9627b1aab7299b83529e8fbc6b5078e43dfd81a1b0bfcdf4a308

 

The VirusTotal report is clean.

https://www.virustotal.com/en/file/f1601b09cd0c9627b1aab7299b83529e8fbc6b5078e43dfd81a1b0bfcdf4a308/...

 

If the file triggers an Antivirus signature, this is most likely the case of a signature collision.

Signature collisions happen when the digital patterns of a Benign file that the firewall looks at to determine a match with a virus signature, coincide with those of a sample that has been determined to be Malware (which includes the possibility of a signature collision with a False Positive).

 

In this particular case, the Signature Collision is with sample f70870509dc2845e1720e68957f7a159b2cd7a2f69950d4707119f9bd5a6c5cc which is a trojanized version of the 7zip installer.

https://www.virustotal.com/en/file/f70870509dc2845e1720e68957f7a159b2cd7a2f69950d4707119f9bd5a6c5cc/...

 

In general, the recommendation in cases like these is to create an Antivirus Exception in the Antivirus profile tied to the Security Policy matching you traffic. The reason why we can't disable the signature, is because that would mean that we would allow both the Benign installer, and the trojanized version, resolving the problem for you, but exposing everyone else to get infected.

 

One of the possible counter-measures to this, is to increase the specifity of the Malware signature, to make sure it matches the Malware variant, and not the Benign file. The increased specifity of the signature not always resolves the collisions, but I will give it a try, and come back to you with our results.

 

 

Highlighted
L7 Applicator

We've made the signature more specific, to prevent probability of collisions.

If the change yields the expected results, you should see the collision resolved after installing tomorrows release of the Antivirus package.

Highlighted
L1 Bithead

Mivaldi

 

Thank you so much for looking in to this. I'll have to wait until the realse is ready, as I think im 4 hour off at this stage.

 

Out of interest, what was incorrect with the link I gave? It was indeed the installer itself that was flagging the Palo Alto (literally just clicking that link in the browser would throw the error). Reason I'm interested is that I'd like to understand how better to submit these issues in the future.

 

Thanks

 

JT

Highlighted
L7 Applicator

When you submit an URL to Virus Total instead of a File, it scans the website for any persistent malicious code that would attempt to hijack your browser. The follow up download happens at a separate report. (I just realized there's a left-over link that points you to the analysis of the downloaded file).

 

 

So it was not incorrect, but the VT report you submitted was for the URL, not the file -not a big deal-

 

If you are a Palo Alto Networks customer, you should open a case with Palo Alto Networks Support, instead of using this forum.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!