What is a signature collision?
Symptom
What is a signature collision?
Environment
Palo Alto Networks firewall
Antivirus inspection
Cause
Benign samples can trigger signatures that have been originally created for a different 'malware verdict' sample.
- This is due to the fact that the Benign sample may contain the exact same byte values in the same byte offsets than a previously 'Malicious verdict' sample for which a pattern-based signature was produced. When this occurs, this is known as a signature collision.
On the contrary, signature matched the sha256 hash has a malicious verdict on the sample that originally produced the signature can either be a
- False positive (a true benign file received a malware verdict) or
- True positive (a true malware file received a malware verdict)
Resolution
The first step is to make sure that you are running the latest Antivirus and WildFire signature packages in Dynamic Updates, and that the proper schedule to download-and-install is configured. The recommended Dynamic Update update check frequencies are hourly for Antivirus, and Every minute for WildFire (or Real time if running PAN-OS >= 10.0).
Then, search in Threat Vault for the Unique Threat ID (UTID) identified in the firewall's Threat log, and find the sha256 hashes associated to the signature. The hash listed in threatvault associated with the UTID is to be compared with the file that's triggering the signature in your environment.
- Once Signature Collision has been determined, placing an Antivirus Exceptions is advised. Customer may reach out to Palo Alto Support if its affecting a lot of users and wish for the signature to be re-evaluated.
- For the case of false positive, please report incorrect verdict of the sample associated to the signature, (though it may be unlikely you have a readily available copy of the original sample), if the original sample was not available to report through the "report incorrect verdict' options, request the verdict change with Support.
- For the case of true positive, the recommendation is to place an Antivirus exception. (Reference "Antivirus Exceptions"). If an Antivirus exception was not appropriate (Palo Alto Networks evaluates if the sample is an environment-specific sample, or a widely popular file that affects a great number of customers) the case can be reported to Palo Alto Networks Support following the instructions in:
How to Use Anti-Spyware, Vulnerability and Antivirus Exceptions to Block or Allow Threats
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcrCAC
Additional Information
You can identify Signature collisions in the WildFire Submission Logs by:
1. Enable WildFire Benign and Grayware Reporting .
2. Query the WildFire Submission Logs using Display Filter: (( verdict eq benign ) and ( action eq block ))
Related articles:
Understanding File-Hash Logging in Antivirus and WildFire Events
Triage and Resolution of False Positives in Palo Alto Networks Antivirus Profiles
WildFire Report Incorrect Verdict (virus false positive or false negative)
How to Use Anti-Spyware, Vulnerability and Antivirus Exceptions to Block or Allow Threats
How to verify the status and troubleshoot the WildFire Real Time Signature Updates feature