The Antivirus profile on Palo Alto Networks firewalls is designed to block malicious files. However, benign files may occasionally be incorrectly blocked.
Notes
1. Confidence in File Integrity: This triage assumes that the file comes from a trusted source and is highly likely to be benign.
2. Threat Log Relevance: This triage applies only to threat log entries with the types 'antivirus' or 'wildfire-virus'. It does not apply to entries of type 'ml-virus', 'spyware', or 'vulnerability'.
3. VirusTotal Guidance: VirusTotal results are a useful reference but not definitive in all cases.
Scenarios
Scenario 0: Dynamic Updates Not Current, Signature Already Disabled
Sometimes, a false positive affects multiple customers, and the problematic signature has already been disabled. Ensure that your Dynamic Updates schedule is properly configured.
Scenario 1: False Positive Due to Incorrect WildFire Verdict
A benign file analyzed by WildFire was incorrectly classified as malicious, leading to an Antivirus signature being created based on this incorrect verdict.
Scenario 2: Signature Collision with an Incorrect WildFire Verdict
Other benign files (with different SHA256 hashes) are flagged because their binary structure matches the signature of a file incorrectly classified as malicious (from Scenario 1).
Scenario 3: Signature Collision with a WildFire True Positive
A benign file is blocked because its binary structure matches that of a file correctly classified as malicious.
How to Identify the Scenario
1. Check if a Signature is Disabled:
- Threat Logs: If logs display the Threat Name as 'unknown', the signature may already be disabled. The name field is populated via API query, and a disabled signature can result in threat logs with no name.
- Threat Vault: Disabled signatures typically show as "Threat ID: n/a" and "Current Release: n/a," meaning the signature is no longer present in content updates but may still be active in WildFire Real-Time.
- API Query: A Threat Vault API query for the Threat ID may show a status of "inactive", meaning the signature is not available in content updates or WildFire Real-Time, and therefore this is Scenario 0.
2. Obtain the Threat ID: From the threat logs, note the Threat ID of the triggered signature.
3. Search in Threat Vault: Look up the Threat ID in Threat Vault.
4. List of SHA256 Hashes: Threat Vault will show a list of SHA256 hashes for files with a WildFire malicious verdict that match the signature pattern.
5. VirusTotal Search:
- If all hashes have low detection counts (e.g., 3 or less, + evaluate its metadata: prevalence, comments, and engine reputability to reach a conclusion), then this is likely Scenario 2.
- If any hash has high detection counts (e.g., 4 or more +and the provided metadata is conclusive in determining the hashes are malicious), then this is likely Scenario 1 or 3.
- If no hashes are found on VirusTotal, it may be Scenario 2 or 3.
6. Check the File Hash:
- Calculate the SHA256 hash of the file triggering the signature and check it in Threat Vault.
- If the WildFire verdict is malicious and you are confident the file is benign, this is Scenario 1.
- If the WildFire verdict is benign or the file's hash is not listed in Threat Vault, this is a confirmed signature collision (Scenario 2 or 3). Cross-reference with VirusTotal data for more insight.