It is my opinion that Palo Alto Networks needs to improve false positive reporting mechanism for 3rd party software vendors. For instance: we monitor our own software releases for false positive detections via VirusTotal. Majority of security vendors working with VirusTotal have simple mechanisms in place to report false positive detections to them, even if you don’t use their software. I can’t seem to find a way to report false positive detection to Palo Alto Networks other than opening a support case. Of course, you can’t open a support case if you aren’t a licensed customer.
Please enhance your false positive reporting mechanism to allow software vendors to report problems in your definitions, or to request whitelisting; preferably via private upload / private communication mechanism. I say it because your disclaimer doesn’t give me warm fuzzies about response or turnaround times about false positive reports we'll post in this forum.
This forum is not a customer support venue. Palo Alto Networks staff will not engage in active discussions on this forum. Our staff will ingest properly formatted submissions for review and update Palo Alto Networks (Known Signatures) verdicts when appropriate.”
"Compatibility Test Application Program:
Application compatibility is important when trying to access a network. Without certified compatibility, users risk denied access and administrators must write policy exceptions.
The program enables CASB, NAC, SSL-VPN, and SSO compatibility on thousands of leading access controls from vendors like Palo Alto Networks and others. Compatibility ensures that the application can be detected, classified, and displayed from over 200,000,000 endpoints in a network
administrator's management console. " :
"Badges! WE don't Need Any Stink'in BADGES!" :
"Certify endpoint security application Compatibility, False Positives, and Quality. All certified vendors receive Badges to showcase that their applications are powerful, reliable, and efficient."
I totally understand the licensing aspects of the PAN solution. Since you don't have one, then just revert to the process of False Positives directly to VirusTotal.com . They have just began this Threat Intel Sharing in the last week or two.
The interesting part that I thought was SOP at Virus Total is "THEY DO NOT" WHITELIST anything, unless the Virus Engine is reported to by the Virus Total client to work directly with AV vendor to determine if in fact it is a false positve and report the Positive Confirmation of the False Positive as referenced in Virus Total Anti Virus signature.
Speaking of Virus Total though leads to a pretty decent Personal/Free End-Point solution. Not to be confused with any other type of device other than personal is:
MetaDefender EndPoint Client:
MetaDefender Google Browser Extention:
What is this????:
VirusTotal.com is not responsible for the outcome of analysis, nor should they whitelist anything. VirusTotal.com simply aggregates scan results from different vendor definitions.
Definition providers (such as Palo Alto Networks, etc) are ultimately responsible for detection signatures and whitelisting.
We’ve worked with many antivirus vendors interfacing with VirusTotal.com in the past, and most of them have very simple mechanism to report false positive detections to them (upload via website, encrypted email, etc). Palo Alto Networks does not appear to have such mechanism, beyond posting in this forum. The forum’s disclaimer doesn’t seem to reassure that my false positive reports will be taken seriously and addressed in reasonably fast manner.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The LIVEcommunity thanks you for your participation!