How to submit Anti-Virus False Positive

117283

Created On 09/26/18 19:13 PM - Last Modified 10/13/23 11:26 AM

Antivirus

Security Policy

Signatures

Threat Log

WF-500 Appliance

Analysis

Threat Intelligence

Threat Prevention

8.1

8.0

9.0

9.1

10.0

PAN-OS

WildFire

Symptom

On the firewall, the Antivirus profile blocks malicious files. If you suspect the blocked file is benign, you can open a case with Palo Alto Networks support to change the file's verdict. The changing of a file verdict to benign will make signature disabled.

Environment

All PAN-OS version.

Cause

A benign file is detected as malicious.

Resolution

A few essential items are needed in order to begin a suspected Antivirus false positive inquiry. Please collect the following data proactively and provide these items when opening a case which will aid in expediting case investigation and resolution.

Required artifacts

The current content version of the Antivirus and WildFire signature package.
- CLI's output of 'show system info'
- or from PA firewall "Dashboard Widget--> General Information" indicates current version information.
File information:
- We need the information about the file; any of the following information is good enough.
  - Actual sample files that trigger each AV signature, compressed(zip) with password "infected." You can use any simple zip or compression utility. The password protecting the ZIP file will ensure the attachment will not be stripped by any host or network-based security devices while uploaded support system. Also add the sha256 hash to ensure the integrity of the file.
  - If it is an application that is well known, please provide a publicly accessible URL. Please note a "public application" means when a file can be downloaded without creating an account.
  - If the file has sensitive information and you do not want to share it, provide the sha256 hash of the file. Please Note: We might not be able to confirm a suspected false positive if the actual sample isn't provided.
Threat logs:
- Please export the threat log for these events in a CSV format and upload it to the case. It is essential to filter out and collect only the relevant logs; unnecessary logs can make a file big and hard to upload.
- How to export the log from the firewall https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clj3CAC
Context around why you suspect these AV alerts on the file is not true.
- Is this your application, developed by your internal team?
- Is this file or application from a trusted 3rd party?
- Is this file signed by a trusted party?
- What is the protocol when used? Although this information can be identified by threat logs, however, it will be nice to add it.
- Was this file analyzed internally? Have you checked any other reputational sources, such as VirusTotal verdicts?
- IMPORTANT NOTE: If the hash of the file is not in VirusTotal, we do not recommend uploading the sample to VT. In the VT, anyone can see and download it, which means you share your information with the public.
Please provide the name and threat ID of the triggered threat alert. Take a screenshot/text output of the triggered threat alert from the Threat Logs. This can be done from the firewall GUI by navigating to the Monitor tab > Threat > then clicking the magnifying glass icon to the left of the desired log entry. This will give you the desired information, as it is shown in the screen capture below:

How to submit Anti-Virus False Positive

Symptom

Environment

Cause

Resolution

Other users also viewed: