Why am I seeing two Anti-Virus signatures triggered for one file when WF real-time is enabled

• Firewall Wildfire real-time is enabled. 

• Example: Signature with 305248623, status is 'replace' and has two hashes associated with it.
  • a9beed803dc58e06d278e593ec5c5619bdce4b45ec6d8e1697957e9923612711
  • 435052fec38434281ade35a0171d6f352fe44e905552b1ca40839df74e5ddbcb
• 
• When a sample is pushed again through Firewall, 6dab5a397b97b2604d9d7541f02e7548de34e1c53b359263583c0fe0407b5827, a new signature is generated with TID: 574021117 on 03/02/2023 13:08 PST. Patterns: f2b43291000000000001682900016962000169dbb9e3f455

• debug dataplane show ctd wf-cache virus-pattern-type ALL
  Virus Pattern (hex encoded): f2b43291000000000001682900016962000169dbb9e3f455
  UTID: 574021117, NPatterns: 1, PatternPos: 0, Disabled: No
  

    Since the real-time WF setting, a cloud query will receive the signature information, and Firewall MP and DP cache will be populated. 

• Virus Pattern (hex encoded): 7064660000000000000000000001706b0000000000000000
  UTID: 305248623, NPatterns: 1, PatternPos: 0, Disabled: No
  

  Both signatures have different patterns, however it will trigger on the same file. 
• Once the new signature is generated, the old hash is removed from the previous TID ( even for PDFs)

Both Signatures:
 

admin@PA-VM> debug dataplane show ctd wf-cache virus-pattern-type ALL 

Virus Pattern (hex encoded): 050ace0063fe058b00067cab000000000011400060064200
UTID: 573910297, NPatterns: 1, PatternPos: 0, Disabled: Yes

Virus Pattern (hex encoded): f2b43291000000000001682900016962000169dbb9e3f455
UTID: 574021117, NPatterns: 1, PatternPos: 0, Disabled: No

Virus Pattern (hex encoded): 7064660000000000000000000001706b0000000000000000
UTID: 305248623, NPatterns: 1, PatternPos: 0, Disabled: No

Virus Pattern (hex encoded): 6830316bcddcdccdaaeeccffcddcdccdaaeeccffdeadbeef
UTID: 157123251, NPatterns: 1, PatternPos: 0, Disabled: Yes