What is the meaning of "Current Release: n/a" on ThreatVault?
14649
Created On 02/10/22 08:29 AM - Last Modified 04/04/24 16:33 PM
Symptom
ThreatVault shows "Current Release: n/a" for some signatures.
Example:
Environment
- Palo Alto Firewall.
- Threatvault signature query.
Resolution
"Current Release: n/a" means that the signature is not currently in "released" state. Basically, it's in either "disabled" or "replaced" state (explained later). The state reflects the signature status in the database that Palo Alto Networks has. That means, for example, if the signature is disabled in the database, ThreatVault will display "Current Release: n/a" even before the corresponding Anti-Virus signature package is released. So, there is a time gap with the actual release timing.
- "disabled"
A signature can get disabled due to False Positive or other reasons. Once it's disabled, the signature no longer gets released (unless it's manually enabled).
- "replaced"
Since the number of signatures that can get into the signature package is not unlimited, when adding new signatures, some signatures get replaced instead. The signatures for the active malware are kept in the package. The signatures for the less active malware are replaced. That also means that when the corresponding malware is seen in the wild again, e.g. the sample is uploaded to the WildFire cloud, then the "replaced" signature gets released again.
(Some of) the 'replaced' signatures can still trigger with WildFire Real-Time Signature Update or DNS Security.
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-new-features/wildfire-features/wildfire-real-time-signature-updates
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/threat-prevention/dns-security
(Some of) the 'replaced' signatures can still trigger with WildFire Real-Time Signature Update or DNS Security.
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-new-features/wildfire-features/wildfire-real-time-signature-updates
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/threat-prevention/dns-security
Key point:
Even if you see "Current Release: n/a" on ThreatVault, it doesn't always mean that there was a False Positive issue with the signature.
Additional Information
See Also: What are Suspicious DNS Queries?