How can I submit a false positive malicious file review by e-mail?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How can I submit a false positive malicious file review by e-mail?

L1 Bithead

How can I submit a false positive malicious file review by e-mail?  I'm not a Palo Alto customer and have no access to the portal or software to follow the instructions I've found online.

 

Any help is appreciated.   Thank you.

6 REPLIES 6

L7 Applicator

Why do you want to report it via email?

I just want to submit a false positive for your review. I am not a Palo Alto customer and have no access to report it through the web portal.

   File - CheckRMM.exe
   md5: acf3e370e68a9970dced575a53b9b76e
   VirusTotal evaluation: https://www.virustotal.com/gui/file/9df6d9d6c362b28a3548e8fa4e89b159481503ca4a987f44471ffa5f12064650
   Download link to a compressed copy of this executable with a password of ‘infected’: https://www.netservicesgroup.com/sample/checkrmm.zip


Any assistance it appreciated. Thank you.

You can follow this pinned post here:
https://live.paloaltonetworks.com/t5/virustotal/virustotal-verdict-change-request-for-false-positive... 

 

Please provide the information in the pinned post and we can take a look at the file.  

I noticed on VT that this has a VT score of 29/67.  Can you give some incite as to why there would be such a high score for this file?  What is a description of this file?

All this file does is check for the existance of a Windows service.  If the service doesn't exist it sends and e-mail to so our team can take corrective action.  Its written in PowerShell and compiled to a EXE using signtool.exe by Authenticode.

 

Here is the PowerShell script source with a variables redacted for out security purposes.

& {$H = HOSTNAME; $service = Get-Service -Name '<redacted for security reasons>' -ErrorAction SilentlyContinue;if($service -eq $null) {$HostIP = (Get-NetIPConfiguration | Where-Object {$_.IPv4DefaultGateway -ne $null -and $_.NetAdapter.Status -ne 'Disconnected'}).IPv4Address.IPAddress; $Subject = [System.String]::Concat($H, ' (' , $HostIP, ') does not have RMM installed');$PSEmailServer = '<redacted for security reasons>';$password = ConvertTo-SecureString '<redacted for security reasons>' -AsPlainText -Force;$Cred = New-Object System.Management.Automation.PSCredential ('<redacted for security reasons>', $password);Send-MailMessage -From '<redacted for security reasons>' -To '<redacted for security reasons>' -Subject $Subject -UseSsl -Port 587 -Credential $Cred;}};

 

Any assistance it appreciated. Thank you.

I've submitted this for review

This file is no longer seen as malware 

  • 2246 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!