Palo Alto Networks Knowledgebase: How to Submit an Anti-Virus False Positive

How to Submit an Anti-Virus False Positive

(924 Views)
Created On 09/26/18 19:13 PM - Last Updated 09/26/18 20:38 PM
Categories:  WildFire

Issue:


Solution:


When submitting a virus false positive report, preemptively gathering data to attach to the case will result in a quicker turnaround time.

 

Collecting a full sample to submit is useful for analysis, as it is fully possible an antivirus signature can trigger for a similarly structured sample as the one that it was initially generated to prevent against; this is to help protect against polymorphic malware.

 

In order to capture the full file, it is required to determine where it is coming from.

Consider a few questions when attempting to capture the file:

  • What protocol is it being transferred over?
  • If HTTP, is it being hosted at a URL that one can access (Check the detailed log view for the signature trigger)? Giving us the URL if it is publicly accessible can help.
  • Is it being sent from a specific source/to a specific destination that one can set up *FULL* packet filter/captures on in order to wait for it to reproduce? (Reference: https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Packet-Capture/ta-p/72069)  

Steps

  1. Collect the output of "show system info" from the CLI of your firewall, or copy the "General Information" pane from the Dashboard of your WebGUI. Put this in the case.
  2. Collect a copy of the file triggering an AV signature. Place the file into a password protected ZIP file (password protecting the ZIP file is to ensure the attachment will not be stripped by any host or network based security devices when it is uploaded to the associated support case.) Make sure that when the file is placed in the case, the password to unzip it is placed there too, or support will be unable to extract the file from the ZIP.
  3. Collect a SHA256/MD5 hash of the offending file. A hash will allow support to ensure the integrity of the file was not impacted during transfer. Place this in the case.
  4. Please provide a screenshot/text output of the triggered threat alert or atleast the threat ID and threat Name from the Threat Logs (Monitor > Threat). Clicking the magnifying glass icon will give you more detail (#1 in the pic below), For example, Threat ID 2000002 | Net-Worm/Win32.Conficker.cr. 
    2016-06-10_virus1.pngThreat Log - Virus detail. Please record or get a screenshot of this information.
  5. Provide context on why it is believed that the file is a false positive. Some examples might include:
    - External reputational sources (Like VirusTotal)
    - The file's origins being within your network (created by a developer internally)
    - The file is signed by a trusted party
    - The file was analyzed internally before being reported

After all of this data has been gathered and placed in the support case, the sample can be analyzed and a verdict can be reached.

Attachments:

Actions:
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm3aCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Change Language: