Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
How to use the Antivirus Content Release Notes to find Antiviru... - Knowledge Base - Palo Alto Networks

How to use the Antivirus Content Release Notes to find Antivirus/Spyware C2 DNS signatures of interest

8634
Created On 10/29/21 18:07 PM - Last Modified 11/14/22 23:00 PM


Objective


  • To check the Antivirus Content Release notes for signature/content changes made due to false positive conditions or otherwise.
  • This article will help to acquainted with the contents of the Antivirus release notes and how to browse the contents for items of interest.


Environment


  • Palo Alto Firewalls or Panorama
  • PAN-OS 9.1, 10.0, 10.1, 10.2
  • Threat Prevention License


Procedure


  1. Antivirus Signatures
  • Antivirus signatures are categorized by their malware group/category.
  • The malware group/categories are identified by the auto signature generation server when the signature is generated.
  • These categories can contain thousands of variants in any particular Antivirus content release.
  • The best way to search the Antivirus Content Release Notes is to search by the variant of interest. 
  • The variant can be identified as the portion of an Antivirus signature name after the last period (.).

Example:

  • The signature “Generic/Win32.favk.daf”, that was released into the Antivirus content version 3884, is identified by its malware group/category (Generic/Win32.favk) and the variant is .daf

 

Example-AV-Sig-lookup.png

 

  • By searching the variant, one can associate the variant to the malware group/category to identify if a signature has been released into the Antivirus content database or if it has been removed.
  • For some malware groups/categories, there are a significant amount of variants either added to the group or being removed so you may have to scroll up or down to see the malware group/category name. 

 

MalwareGroup-variantCount.png

  • The beginning of every variant list contains the number of variants and the variant list is in alphabetical order.

 

  1. Spyware DNS C2 Signatures
  • For Spyware C2 signatures, customers can search using the entire domain in question or the whole signature name. 

SpywareSignatureSearch.png

  1. IPs in PanOS provided EDLs
  • For the IPs identified in the various EDLs hosted by Palo Alto Networks, one can run a search for the specific IPs themselves.

IPSearchInContentRelease.png

 

  1. Content Release Notes Sections
  • There are different sections within each Antivirus Content Release Notes package. Each section identifies the type of content that is being referenced,
  • if the content is being added or removed (New or Old), and how many entries are listed in the section.
  • The number of entries is in parenthesis after the section header.

The term “NEW” identifies content being added:

  • New Antivirus Signatures — Antivirus signatures added to the content database
  • New Spyware DNS C2 Signatures — C2 signatures added to the content database
  • New Spyware Autogen C2 Signatures — C2 signatures that were auto-generated being added to the content database
  • New IP Malicious IP feed — Malicious IPs added to the “Known Malicious IP” EDL in the PanOS GUI: Objects -> External Dynamic Lists
  • New IP Suspicious IP feed — Suspicious IPs added to the “High risk IP” EDL in the PanOS GUI: Objects -> External Dynamic Lists
  • New IP Bulletproof IP feed — Identified Bulletproof IPs added to the “Bulletproof IP” EDL in the PanOS GUI: Objects -> External Dynamic Lists
  • New IP Tor exit IP feed — Tor Exit node IPs added to the “Tor exit IP” EDL in  the PanOS GUI: Objects -> External Dynamic Lists

The term “Old” identifies content being removed:

  • Old Antivirus Signatures — Antivirus signatures removed from the content database
  • Old Spyware DNS C2 Signatures — C2 signatures removed from the content database
  • Old Spyware Autogen C2 Signatures — C2 signatures that were auto-generated being removed from the content database
  • Old IP Malicious IP feed — Malicious IPs removed from the “Known Malicious IP” EDL in the PanOS GUI: Objects -> External Dynamic Lists
  • Old IP Suspicious IP feed — Suspicious IPs removed from the “High risk IP” EDL in the PanOS GUI: Objects -> External Dynamic Lists
  • Old IP Bulletproof IP feed — Identified Bulletproof IPs removed from the “Bulletproof IP” EDL in the PanOS GUI: Objects -> External Dynamic Lists
  • Old IP Tor exit IP feed — Tor Exit node IPs removed from the “Tor exit IP” EDL in  the PanOS GUI: Objects -> External Dynamic Lists


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oMiUCAU&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language