Palo Alto Networks Knowledgebase: WildFire report incorrect verdict (virus false positive or false negative)

WildFire report incorrect verdict (virus false positive or false negative)

7319
Created On 02/07/19 23:36 PM - Last Updated 02/07/19 23:36 PM
WildFire
Resolution

 

WildFire may occasionally produce incorrect verdicts, these being false positives file deemed 'malware' when it's 'benign' or false negatives file deemed 'benign' when it's 'malware'.

 

If the verdict needs to be reconsidered by Palo Alto Networks, users can report these via the WildFire portal, or via the PAN-OS WebUI. This feature has been available since PAN-OS 6.0.

 

Reporting incorrect verdict from PAN-OS WebUI

This method assumes that your firewall has connectivity to the internet.

Go to the Monitor tab, then select 'WildFire Submissions' on the selection tree.

Once the file has been found on the list, open the details by selecting the magnifying glass icon on the left.

 

User-added image

 

The 'Detailed Log View' window will open.

Click the VirusTotal link under 'Coverage Status', this will help validate if the file has been observed by third party vendors, and find what verdict they had for the very same file.

 

User-added image

 

In our example, the file is not found in VirusTotal; on the previous window, select 'Download File' to obtain the sample file. We're going to submit the sample file to VirusTotal to find their verdict.

 

User-added image

The file downloaded will look like [SHA-256].extension.samplenumber. Here is our example: 5a8207c2fcb904e1ef295fd61eb4c90c37e081acc6a18377a588b40079ce0553.exe.000. The .000 is preventing the file from being easily executable by mistake. Do not rename the file to .exe and execute it. If the file is malicious, it will infect your computer.

User-added image

On the VirusTotal page, select "Take me back to the main page"

User-added image

Choose the sample file and submit it to VirusTotal by selecting "Scan it!"

User-added image

VirusTotal will show the results of the scan. In this example, the file is a False Positive deemed malicious, though VirusTotal claims 0 deemed malicious out of 57 AV vendors.

User-added image

 

Go back to the WildFire Analysis Report, and click on "report an incorrect verdict."

User-added image

 

The "Report Incorrect Verdict" form will open, enter your e-mail address and add details that explain why you believe the WildFire Verdict to be incorrect. Substantiate your claim by adding the VirusTotal Detection ratio obtained from VirusTotal. Click OK to complete your submission.

 

User-added image

 

Reporting incorrect verdict from WildFire Portal

 

Browse to: https://wildfire.paloaltonetworks.com/wildfire/dashboard

Select the "Reports" tab.

User-added image

 

Enter the SHA-256 in the search box:

 

User-added image

Once the report is found, click on the square icon on the left:

 

User-added image

 

Click the VirusTotal link under 'Coverage Status', this will help validate if the file has been observed by third party vendors, and find what verdict they had for the very same file.

 

 

User-added image

 

In our example, the file is not found in VirusTotal. On the previous window, select 'Download File' to obtain the sample file. We're going to submit the sample file to VirusTotal to find their verdict.

 

User-added image

The file downloaded will look like [SHA-256].extension.samplenumber. Here is our example: 5a8207c2fcb904e1ef295fd61eb4c90c37e081acc6a18377a588b40079ce0553.exe.000. The .000 is preventing the file from being easily executable by mistake. Do not rename the file to .exe and execute it. If the file is malicious, it will infect your computer.

 

User-added image

 

On the VirusTotal page, select "Take me back to the main page."

User-added image

Choose the sample file and submit it to VirusTotal by selecting "Scan it!"

User-added image

VirusTotal will show the results of the scan. In this example, the file is a False Positive. It was deemed malicious, though VirusTotal claims 0 deemed malicious out of 57 AV vendors.

User-added image

 

Go back to the WildFire Analysis Report, and click on "report an incorrect verdict."

User-added image

 

The "Report Incorrect Verdict" form will open, enter your e-mail address and add details that explain why you believe the WildFire Verdict to be incorrect. Substantiate your claim by adding the VirusTotal Detection ratio obtained from VirusTotal. Click OK to complete your submission.

 

User-added image

 

owner: mivaldi



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm7KCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language