How to submit an Anti-Spyware False Positive

How to submit an Anti-Spyware False Positive

5330
Created On 03/23/23 14:50 PM - Last Modified 10/03/23 07:48 AM


Symptom


Benign network traffic is identified as "spyware" and triggers an Anti-Spyware signature.

Environment


  • All PAN-OS versions.

Cause


Benign traffic can be misidentified as a spyware depending on the traffic pattern.

Resolution


The spyware signatures are based on the network traffic, therefore we focus on the traffic on which the signature is fired.

If the detection is suspected to be False Positive, please provide the following information:

  • What is the user trying to do?
  • The "show system info" command output from CLI or the tech support file of the firewall.
  • The threat logs.
  • A single packet pcap associated with the threat log.
How to Enable Threat Packet Capture for a Specific Anti-Spyware Signature?
 

NOTE: In some cases, the extended pcap or the complete packet captures are required to investigate the issue.
How to Configure Extended Packet Capture


If the signature is triggering on DNS traffic, please refer to the following article.
Can an Antispyware DNS signature/DNS Security verdict, suspected false positive be possibly handled prior to opening support case?
 

Additional Information


If the False Positive is happening with a Vulnerability Signature, please refer to the following article.
How to Submit a Vulnerability Signature False Positive
 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kHTcCAM&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail