What is the meaning of "In Current Release: No" on Threat Vault?

What is the meaning of "In Current Release: No" on Threat Vault?

24665
Created On 02/10/22 08:29 AM - Last Modified 11/14/24 06:14 AM


Symptom


Threat Vault shows "In Current Release: No" for some signatures.

Example:

Screenshot 2024-11-14 at 3.00.58 PM.png

Environment


  • Palo Alto Firewall.
  • Threat Vault signature query.

Resolution


"In Current Release: No" means that the signature is not currently in "released" state. Basically, it's in either "disabled" or "replaced" state (explained later). The state reflects the signature status in the database that Palo Alto Networks has. That means, for example, if the signature is disabled in the database, ThreatVault will display "In Current Release: No" even before the corresponding Anti-Virus signature package is released. So, there is a time gap with the actual release timing.
 

  • "disabled"  (Status: inactive)
A signature can get disabled due to False Positive or other reasons. Once it's disabled, the signature no longer gets released (unless it's manually enabled).

 

  • "replaced"  (Status: active)
Since the number of signatures that can get into the signature package is not unlimited, when adding new signatures, some signatures get replaced instead. The signatures for the active malware are kept in the package. The signatures for the less active malware are replaced. That also means that when the corresponding malware is seen in the wild again, e.g. the sample is uploaded to the WildFire cloud, then the "replaced" signature gets released again.

(Some of) the 'replaced' signatures can still trigger with WildFire Real-Time Signature Update or DNS Security, thus the status shows active.
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-new-features/wildfire-features/wildfire-real-time-signature-updates
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/threat-prevention/dns-security




Key point:
Even if you see "In Current Release: No" on Threat Vault, it doesn't always mean that there was a False Positive issue with the signature.

 

Additional Information


See Also: What are Suspicious DNS Queries?
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oNA9CAM&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language