How To Provide Evidence Of An Incorrect WildFire Verdict From VirusTotal
7645
Created On 06/21/21 18:35 PM - Last Modified 07/19/22 04:48 AM
Objective
Gather additional sample details from VirusTotal, to provide evidence of an incorrect file verdict when submitting WildFire Verdict change.
Environment
- WildFire Service
- WildFire Incorrect Verdict Change Submission
Procedure
1. Identify the File Hash from one of the sources below
- PAN-OS WebUI
- WildFire PDF Report
- WildFire Portal
- Cortex XDR Interface
From PAN-OS WebUI: (Monitor>Logs>WildFire Submissions)
2. Visit VirusTotal and search the Hash found in Step 1 to confirm the current coverage information
NOTE: IF THE HASH IS NOT IN VIRUSTOTAL, WE NO NOT RECOMMEND UPLOADING THE SAMPLE TO VIRUSTOTAL AS ANYONE CAN VIEW IT AND USERS WITH DOWNLOAD RIGHTS CAN DOWNLOAD THESE SAMPLES.
IF CUSTOMER STILL CHOOSES TO UPLOAD THE SAMPLE TO VIRUSTOTAL, PLEASE UNDERSTAND THE ABOVE BEFORE CONTINUING.
In this example, the file is a potential False Positive (deemed malicious), though VirusTotal claims 0 deemed malicious out of 57 AV vendors.
3. Attach results as evidence when reporting the incorrect verdict in the "Please include any comments that may help us understand the issue" field.
Below is an example of this information being included in the report.
Additional Information
WILDFIRE REPORT INCORRECT VERDICT (VIRUS FALSE POSITIVE OR FALSE NEGATIVE)