How to use the Antivirus Content Release Notes to find Antivirus/Spyware C2 DNS signatures of interest
8634
Created On 10/29/21 18:07 PM - Last Modified 11/14/22 23:00 PM
Objective
- To check the Antivirus Content Release notes for signature/content changes made due to false positive conditions or otherwise.
- This article will help to acquainted with the contents of the Antivirus release notes and how to browse the contents for items of interest.
Environment
- Palo Alto Firewalls or Panorama
- PAN-OS 9.1, 10.0, 10.1, 10.2
- Threat Prevention License
Procedure
- Antivirus Signatures
- Antivirus signatures are categorized by their malware group/category.
- The malware group/categories are identified by the auto signature generation server when the signature is generated.
- These categories can contain thousands of variants in any particular Antivirus content release.
- The best way to search the Antivirus Content Release Notes is to search by the variant of interest.
- The variant can be identified as the portion of an Antivirus signature name after the last period (.).
Example:
- The signature “Generic/Win32.favk.daf”, that was released into the Antivirus content version 3884, is identified by its malware group/category (Generic/Win32.favk) and the variant is .daf
- By searching the variant, one can associate the variant to the malware group/category to identify if a signature has been released into the Antivirus content database or if it has been removed.
- For some malware groups/categories, there are a significant amount of variants either added to the group or being removed so you may have to scroll up or down to see the malware group/category name.
- The beginning of every variant list contains the number of variants and the variant list is in alphabetical order.
- Spyware DNS C2 Signatures
- For Spyware C2 signatures, customers can search using the entire domain in question or the whole signature name.
- IPs in PanOS provided EDLs
- For the IPs identified in the various EDLs hosted by Palo Alto Networks, one can run a search for the specific IPs themselves.
- Content Release Notes Sections
- There are different sections within each Antivirus Content Release Notes package. Each section identifies the type of content that is being referenced,
- if the content is being added or removed (New or Old), and how many entries are listed in the section.
- The number of entries is in parenthesis after the section header.
The term “NEW” identifies content being added:
- New Antivirus Signatures — Antivirus signatures added to the content database
- New Spyware DNS C2 Signatures — C2 signatures added to the content database
- New Spyware Autogen C2 Signatures — C2 signatures that were auto-generated being added to the content database
- New IP Malicious IP feed — Malicious IPs added to the “Known Malicious IP” EDL in the PanOS GUI: Objects -> External Dynamic Lists
- New IP Suspicious IP feed — Suspicious IPs added to the “High risk IP” EDL in the PanOS GUI: Objects -> External Dynamic Lists
- New IP Bulletproof IP feed — Identified Bulletproof IPs added to the “Bulletproof IP” EDL in the PanOS GUI: Objects -> External Dynamic Lists
- New IP Tor exit IP feed — Tor Exit node IPs added to the “Tor exit IP” EDL in the PanOS GUI: Objects -> External Dynamic Lists
The term “Old” identifies content being removed:
- Old Antivirus Signatures — Antivirus signatures removed from the content database
- Old Spyware DNS C2 Signatures — C2 signatures removed from the content database
- Old Spyware Autogen C2 Signatures — C2 signatures that were auto-generated being removed from the content database
- Old IP Malicious IP feed — Malicious IPs removed from the “Known Malicious IP” EDL in the PanOS GUI: Objects -> External Dynamic Lists
- Old IP Suspicious IP feed — Suspicious IPs removed from the “High risk IP” EDL in the PanOS GUI: Objects -> External Dynamic Lists
- Old IP Bulletproof IP feed — Identified Bulletproof IPs removed from the “Bulletproof IP” EDL in the PanOS GUI: Objects -> External Dynamic Lists
- Old IP Tor exit IP feed — Tor Exit node IPs removed from the “Tor exit IP” EDL in the PanOS GUI: Objects -> External Dynamic Lists