Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
How To Provide Evidence Of An Incorrect WildFire Verdict From V... - Knowledge Base - Palo Alto Networks

How To Provide Evidence Of An Incorrect WildFire Verdict From VirusTotal

7645
Created On 06/21/21 18:35 PM - Last Modified 07/19/22 04:48 AM


Objective


Gather additional sample details from VirusTotal, to provide evidence of an incorrect file verdict when submitting WildFire Verdict change.



 


Environment


  • WildFire Service
  • WildFire Incorrect Verdict Change Submission


Procedure


1. Identify the File Hash from one of the sources below

From PAN-OS WebUI: (Monitor>Logs>WildFire Submissions)

User-added image

From A WildFire PDF Report:

User-added image


2. Visit VirusTotal and search the Hash found in Step 1 to confirm the current coverage information

NOTE: IF THE HASH IS NOT IN VIRUSTOTAL, WE NO NOT RECOMMEND UPLOADING THE SAMPLE TO VIRUSTOTAL AS ANYONE CAN VIEW IT AND USERS WITH DOWNLOAD RIGHTS CAN DOWNLOAD THESE SAMPLES.

IF CUSTOMER STILL CHOOSES TO UPLOAD THE SAMPLE TO VIRUSTOTAL, PLEASE UNDERSTAND THE ABOVE BEFORE CONTINUING.


In this example, the file is a potential False Positive (deemed malicious), though VirusTotal claims 0 deemed malicious out of 57 AV vendors.

User-added image

3. Attach results as evidence when reporting the incorrect verdict in the "Please include any comments that may help us understand the issue" field.

Below is an example of this information being included in the report.

User-added image

 



Additional Information


WILDFIRE REPORT INCORRECT VERDICT (VIRUS FALSE POSITIVE OR FALSE NEGATIVE)

Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oMDv&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail