Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

False Positive: Virus/Win32.WGeneric.qqpeo(199010010)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

False Positive: Virus/Win32.WGeneric.qqpeo(199010010)

L0 Member

Hello,

 

We are getting several false positives for the following:

Hashes: MD5 - 

522aaef14fd04b0cfbb92a5fb67f8daa

c5d262166b7f4e9972d7e3e25df36d5c

1910b1d2c94992fc21c6431a0eae1d78

1ea5f8f65c07140d6fe639cf792a210c

ffabe0604710b1070d044aa137465cd1

48b696a3e96865a38cb4ee6c34163f19

8d6abf4c351ee1d30ba40ddd61a2d60f

b636ebe64a2905f61d659a854c5d5cf4

e4de7fb09f13c7d0cb4d31083a1b6706

ef002bca6c0f92debfa2d896a727ceaa

https://www.virustotal.com/gui/file/866aef3c8c9b4a7ccf6d6cad22a8b05d0ffed8e18590ec3d3e5b734d771363e3...

1 accepted solution

Accepted Solutions

UPDATE:

 

Turns out there was a GPO to not permit logins to multiple sessions. This GPO called on a directory and copied some files locally. It wasn't until we started looking at the AV in addition to Palo we saw there was a "login.exe" being detected and flagged. After moving the user's OU and deleting the local copy, the GPO no logger applied and the alerts ceased.

 

Luckily there was a "misc:" field in the Palo alert which eventually tipped us off.

 

Best of luck!

View solution in original post

3 REPLIES 3

L0 Member

I'm getting a similar false positive for Microsoft Directory Services/ms-ds-smbv3 - Virus/Win32.WGeneric.adwxyf. Occurs when attempting to copy Symantec Antivirus from a share. 

UPDATE:

 

Turns out there was a GPO to not permit logins to multiple sessions. This GPO called on a directory and copied some files locally. It wasn't until we started looking at the AV in addition to Palo we saw there was a "login.exe" being detected and flagged. After moving the user's OU and deleting the local copy, the GPO no logger applied and the alerts ceased.

 

Luckily there was a "misc:" field in the Palo alert which eventually tipped us off.

 

Best of luck!

In the future open a case with Palo Alto networks through your portal. THis is not the place to discuss your private network. 

As a Palo Alto customer you have Support included and we could find and fix this much faster without exposing your files to the internet. 

  • 1 accepted solution
  • 10523 Views
  • 3 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!