This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

False Positive: Virus/Win32.WGeneric.qqpeo(199010010)

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

False Positive: Virus/Win32.WGeneric.qqpeo(199010010)

Go to solution
Andrew_Gahan
L0 Member

‎06-20-2019 06:50 AM

Hello,

 

We are getting several false positives for the following:

Hashes: MD5 - 

522aaef14fd04b0cfbb92a5fb67f8daa

c5d262166b7f4e9972d7e3e25df36d5c

1910b1d2c94992fc21c6431a0eae1d78

1ea5f8f65c07140d6fe639cf792a210c

ffabe0604710b1070d044aa137465cd1

48b696a3e96865a38cb4ee6c34163f19

8d6abf4c351ee1d30ba40ddd61a2d60f

b636ebe64a2905f61d659a854c5d5cf4

e4de7fb09f13c7d0cb4d31083a1b6706

ef002bca6c0f92debfa2d896a727ceaa

https://www.virustotal.com/gui/file/866aef3c8c9b4a7ccf6d6cad22a8b05d0ffed8e18590ec3d3e5b734d771363e3...

1 person had this problem.
1 accepted solution

Accepted Solutions

Go to solution
Andrew_Gahan
L0 Member
In response to HenryFoss

‎08-21-2019 09:35 AM

UPDATE:

 

Turns out there was a GPO to not permit logins to multiple sessions. This GPO called on a directory and copied some files locally. It wasn't until we started looking at the AV in addition to Palo we saw there was a "login.exe" being detected and flagged. After moving the user's OU and deleting the local copy, the GPO no logger applied and the alerts ceased.

 

Luckily there was a "misc:" field in the Palo alert which eventually tipped us off.

 

Best of luck!

View solution in original post

0 Likes Likes
3 REPLIES 3

Go to solution
HenryFoss
L0 Member

‎08-20-2019 08:43 PM

I'm getting a similar false positive for Microsoft Directory Services/ms-ds-smbv3 - Virus/Win32.WGeneric.adwxyf. Occurs when attempting to copy Symantec Antivirus from a share. 

0 Likes Likes

Go to solution
Andrew_Gahan
L0 Member
In response to HenryFoss

‎08-21-2019 09:35 AM

UPDATE:

 

Turns out there was a GPO to not permit logins to multiple sessions. This GPO called on a directory and copied some files locally. It wasn't until we started looking at the AV in addition to Palo we saw there was a "login.exe" being detected and flagged. After moving the user's OU and deleting the local copy, the GPO no logger applied and the alerts ceased.

 

Luckily there was a "misc:" field in the Palo alert which eventually tipped us off.

 

Best of luck!

0 Likes Likes

Go to solution
dparris
L5 Sessionator
In response to Andrew_Gahan

‎09-04-2019 08:54 AM

In the future open a case with Palo Alto networks through your portal. THis is not the place to discuss your private network. 

As a Palo Alto customer you have Support included and we could find and fix this much faster without exposing your files to the internet. 

0 Likes Likes
  • 1 accepted solution
  • 10524 Views
  • 3 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks