Palo Alto Networks Knowledgebase: What is an Antivirus collision in the case of a False Positive, and how can we deal with it?
What is an Antivirus collision in the case of a False Positive, and how can we deal with it?
Created On 02/07/19 23:35 PM - Last Updated 02/07/19 23:36 PM
Antivirus collision is a case where a signature created for one malware file, or one malware family, triggers on the other benign files, unrelated to original files for which the signature was created. In order to understand it a little better, here is some background information:
Where do Antivirus signatures come from?
The Antivirus database contains any and all WildFire signatures that were created in the previous 24 hours. WildFire signatures are collected at the close of business hours every day, packed into a single database, and tested to ensure they are installable on all of our platforms. In short, the Antivirus package is a collection of the last 24 hours of Wildfire packages for which we performed checks before we distributed it.
What are Antivirus signatures?
Antivirus signatures used by Palo Alto Networks software are a combination of bytes that are overlaid on the file while it is traversing the firewall. If those bytes match with order of bytes in the mentioned file, then the action preset in the AntiVirus protection profiles is triggered.
As seen in the picture below, there are two types of actions: WildFire Action and Action; the former is used to determine what the firewall's action will be in the case a signature is matched from the WildFire database, and the latter, Action, is used to determine the firewall's action if a signature is matched from the AntiVirus database.
An Antivirus signature, in practice, is a static string representing a collection of bytes selected from a malicious file. The selection of bytes depends on a file type; signatures for PE (portable executable) are not the same as signatures used for PDF, or MS Office file types. We call this a static selection, because bytes are usually taken from the same position (same offset) for the same file type.
There are obvious reasons for selecting particular bytes for signatures, such as making sure that no bytes common to all files are included in the signature - in that case, all files would always trigger our signatures. Besides that, the choice of particular bytes is done so that polymorphic malware samples can be caught with a single signature, so if a malware automatically changes portions of the file it uses, our signature would still catch it.
So, what are collisions?
Well, as mentioned, a signature is a static string representing a collection of bytes selected from a malicious file. Sometimes, this selection can overlap with the order of bytes in a benign file. That is what we call a signature collision. Actually, there are few occurrences; the percentages are minimal considering how many files we see daily and how many signatures we publish on a daily / monthly / yearly basis. They still happen, unfortunately.
How do you deal with collisions?
For some file types, we can expand signatures to have better precision in overlaying the bytes of signature; this can often resolve collisions. When this is not possible, we make an educated decision based on the occurrences of the malware traversing networks / firewalls that report to AutoFocus. If we have not seen that malware recently or lately, we will disable the signature in favor of the benign file for which the signature triggered. This is an engineering decision; we are weighting benefit to the end users - if the malware was not seen recently, and the benign file is required for business continuity, we would disable the signature in favor of the benign file.
When we say business continuity, that is not a strict line we draw here, but we evaluate it on a per-case basis -- some business files exchanged do qualify as justified for business continuity. On the other hand, if the colliding file is, for example, some flash-based video game, we might keep our signature despite its having a collision on the benign file. Also, if malware whose signature we disabled should become active again, it is possible and probable we would re-enable the signature regardless of the collision.
One more important thing to note: While done in rare occassions, both disabling and enabling of the signature is done on a per-case basis, where our senior engineers evaluate business importance and scope and degree of interruption to the end user, comparing it to the potential risks of deleting a signature. Such decisions are not wrought lightly and are done with the best interest of ALL our users in mind.