How to submit Anti-Virus False Positive

How to submit Anti-Virus False Positive

68287
Created On 09/26/18 19:13 PM - Last Modified 12/04/20 18:55 PM


Symptom
On the Firewall, the Anti-virus profile blocks the malicious files. If you suspect that the blocked file is benign, you can open a case with PaloAlto support to change the file's verdict and to disable the signature.

Environment
  • All PAN-OS version.


Cause
A benign file pattern matched with a pattern with a malware file.

Resolution

A False Positive submission will result in a quicker resolution if the following data is collected proactively and uploaded to the case. 
 
Steps

  1. The current version of the Anti-Virus and WildFire signature package: CLI's output of 'show system info' or from PA firewall "Dashboard Widget--> General Information" indicates current version information.
  2. What is the protocol when used? Although this information can be identified by threat logs, however, it will be useful to add it. 
  3. File information: Any of the following data can provide file information; please use any feasible method. Please note one of the following is enough. 
    1.  Actual sample files that trigger each AV signature, compressed(zip) with password "infected". You can use any simple zip or compression utility. The password protecting the ZIP file will ensure the attachment will not be stripped by any host or network-based security devices when it is uploaded. Along with file, please add the sha256 hash to ensure the integrity of the file.
    2. For a public application where software is download, a publicly accessible URL is useful. Please note, a "public application" means when a file can be download without creating an account.
    3. If the file has sensitive information and you do not want to share it, provide the sha256 hash of the file. Please note that we might not be able to confirm the False Positive if the actual sample isn't provided.
  4. Threat logs: Please export the threat log for these events in the CSV format and upload it to the case. It is important to filter out and collect only the relevant logs, the unnecessary logs can make a file big and hard to upload. 
    1. How to export the log from the firewall https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clj3CAC
  5. Context around why you suspected these AV alerts were false positive?
    1. Is this your application, developed by your internal team? 
    2. Is this file or application is from a trusted 3rd party? 
    3. Is this file signed by a trusted party?
    4. Is this file analyzed internally? Have you checked any other reputational source such as VirusTotal verdict? (In case the file contains sensitive information, please refrain from uploading it to VirusTotal).
  6. Please provide the name and thread ID of the triggered threat alert. Take a screenshot/text output of the triggered threat alert from the Threat Logs (Monitor > Threat).  Clicking the magnifying glass icon will give you more details as is shown in the picture below. i.e, Threat ID 377248044, and Threat name: Virus/Win32.WGeneric.aplnvy
Detailed view of Virus threat logs


Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm3aCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language