Handling Suspected False Positives for AntiSpyware DNS Signatures/DNS Security Verdicts Before Opening a Support Case

Handling Suspected False Positives for AntiSpyware DNS Signatures/DNS Security Verdicts Before Opening a Support Case

17459
Created On 07/03/20 20:52 PM - Last Modified 07/23/24 20:46 PM


Question


Before opening a support case, is there a way to handle a potential False Positive for AntiSpyware DNS Signatures and DNS Security verdicts ?

Environment


  • PAN-OS 9.0 or higher (DNS Security) 
  • PAN-OS 8.0 or higher (Antispyware DNS signatures)
  • Valid Threat Prevention License

Answer


Before opening a support case for suspected false positives related to AntiSpyware DNS Signatures or DNS Security verdicts, it's recommended to review the current URL category.
If the URL is categorized as malicious, you can request a category change by providing the necessary details on urlfiltering.paloaltonetworks.com.
 
  1. If the category change request is approved and the URL is classified as benign, this should automatically disable the corresponding DNS signature and also correct the DNS Security verdict(if applicable). 

For example, if a URL initially categorized as "Malware" is reclassified to "Business and Economy" due to a confirmed false positive, the following changes are expected:

  1. Disabling of the content-based DNS Signature (This change takes effect in future content updates, which are released once daily.)
  2. Correction of the DNS Security verdict  
  1. In a scenario where the category reclassification request is not accepted, but you still suspect a false positive,  you should open a support case and provide additional relevant information for investigation. 

If applying an exception is deemed necessary, you can implement the following:

    • Threat/DNS Exception using the DNS signature Unique Threat ID (only for content based DNS signatures which is updated once a day)
    • Threat Exception for DNS Security using FQDN (Fully Qualified Domain Name) 
    By following these steps, you can effectively manage potential false positives for AntiSpyware DNS Signatures and DNS Security verdicts. 

    Additional Information


    WHAT categories will be displayed when you filter Threat logs by DNS Security Category ?
    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000samnCAA&lang=en_US 

     




     
    Other users also viewed:
    Actions
    • Print
    • Copy Link

      https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UfnCAE&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

    Choose Language