Triage and Resolution of False Positives in Palo Alto Networks Antivirus Profiles

160706

Created On 09/26/18 19:13 PM - Last Modified 09/16/25 15:18 PM

Antivirus

Security Policy

Signatures

Threat Log

WF-500 Appliance

Analysis

Threat Intelligence

Threat Prevention

8.1

8.0

9.0

9.1

10.0

PAN-OS

WildFire

Symptom

A benign file is detected as malicious.

Environment

All PAN-OS version.

Cause

The Antivirus profile on Palo Alto Networks firewalls is designed to block malicious files. However, benign files may occasionally be incorrectly blocked.

Notes

1. Confidence in File Integrity: This triage assumes that the file comes from a trusted source and is highly likely to be benign.

2. Threat Log Relevance: This triage applies only to threat log entries with the types 'antivirus' or 'wildfire-virus'. It does not apply to entries of type 'ml-virus', 'spyware', or 'vulnerability'.

3. VirusTotal Guidance: VirusTotal results are a useful reference but not definitive in all cases.

Scenarios

Scenario 0: Dynamic Updates Not Current, Signature Already Disabled
Sometimes, a false positive affects multiple customers, and the problematic signature has already been disabled. Ensure that your Dynamic Updates schedule is properly configured.

Scenario 1: False Positive Due to Incorrect WildFire Verdict
A benign file analyzed by WildFire was incorrectly classified as malicious, leading to an Antivirus signature being created based on this incorrect verdict.

Scenario 2: Signature Collision with an Incorrect WildFire Verdict
Other benign files (with different SHA256 hashes) are flagged because their binary structure matches the signature of a file incorrectly classified as malicious (from Scenario 1).

Scenario 3: Signature Collision with a WildFire True Positive
A benign file is blocked because its binary structure matches that of a file correctly classified as malicious.

How to Identify the Scenario

1. Check if a Signature is Disabled:

Threat Logs: If logs display the Threat Name as 'unknown', the signature may already be disabled. The name field is populated via API query, and a disabled signature can result in threat logs with no name.
Threat Vault: Disabled signatures typically show as "Threat ID: n/a" and "Current Release: n/a," meaning the signature is no longer present in content updates but may still be active in WildFire Real-Time.
API Query: A Threat Vault API query for the Threat ID may show a status of "inactive", meaning the signature is not available in content updates or WildFire Real-Time, and therefore this is Scenario 0.

2. Obtain the Threat ID: From the threat logs, note the Threat ID of the triggered signature.
3. Search in Threat Vault: Look up the Threat ID in Threat Vault.
4. List of SHA256 Hashes: Threat Vault will show a list of SHA256 hashes for files with a WildFire malicious verdict that match the signature pattern.
5. VirusTotal Search:

If all hashes have low detection counts (e.g., 3 or less, + evaluate its metadata: prevalence, comments, and engine reputability to reach a conclusion), then this is likely Scenario 2.
If any hash has high detection counts (e.g., 4 or more +and the provided metadata is conclusive in determining the hashes are malicious), then this is likely Scenario 1 or 3.
If no hashes are found on VirusTotal, it may be Scenario 2 or 3.

6. Check the File Hash:

Calculate the SHA256 hash of the file triggering the signature and check it in Threat Vault.
If the WildFire verdict is malicious and you are confident the file is benign, this is Scenario 1.
If the WildFire verdict is benign or the file's hash is not listed in Threat Vault, this is a confirmed signature collision (Scenario 2 or 3). Cross-reference with VirusTotal data for more insight.

Resolution

Scenario 0: Update Antivirus and WildFire to the latest Content packages. Ensure that the Dynamic Update schedule is properly configured and that the update server is reachable.

Scenario 1: Submit a Verdict Change Request in WildFire for the affected SHA256 hash. Refer to WildFire Report Incorrect Verdict (virus false positive or false negative) for details.

Scenario 2: Submit a Verdict Change Request in WildFire for any of the hashes listed in Threat Vault. Ensure that all hashes tied to the signature have low VirusTotal detection counts. Refer to WildFire Report Incorrect Verdict (virus false positive or false negative) for details.

Scenario 3:

If the file is confirmed benign, create an Antivirus exception for the Threat ID. Refer to the Create Threat Exceptions documentation for instructions.
If the signature collision is likely to impact other Palo Alto Networks customers, report it to support for potential signature disablement.

Reporting a False Positive to Palo Alto Networks Support

For a faster resolution, gather the following information before submitting a support ticket:

1. Content Version: Provide the current content versions for the Antivirus and WildFire signature packages. Use the CLI command 'show system info' or check the Dashboard widget under “General Information” to find this.

2. File Information:

Provide the sample file triggering the signature, compressed with the password "infected" to avoid issues with host or network security devices.
Alternatively, provide the SHA256 hash if the file cannot be submitted.
If the file is a well-known application, provide a publicly accessible URL to download it.

3. Threat Logs: Export relevant threat logs in CSV format to include with the case. Filter out unnecessary logs to minimize file size.

4. Context:

Is this an internal application or from a trusted third-party?
Is the file signed by a trusted source?
What protocol triggered the detection (HTTP, HTTP2, SMB, FTP, etc.)?
Was the file checked against other reputation sources (e.g., VirusTotal)?

5. Important: If the hash is not in VirusTotal, avoid uploading it to protect sensitive information.

6. Threat Information: Provide a screenshot or text output of the triggered alert from the Threat Logs. Navigate to Monitor > Threat and click the magnifying glass next to the relevant log entry to obtain the necessary details as it is shown in the screen capture below: