The first step is to make sure that you are running the latest Antivirus and WildFire signature packages in Dynamic Updates, and that the proper schedule to download-and-install is configured. The recommended Dynamic Update update check frequencies are hourly for Antivirus, and Every minute for WildFire (or Real time if running PAN-OS >= 10.0).
Then, search in Threat Vault for the Unique Threat ID (UTID) identified in the firewall's Threat log, and find the sha256 hashes associated to the signature. The hash listed in threatvault associated with the UTID is to be compared with the file that's triggering the signature in your environment.
Wildfire report or third party site (such as VirusTotal) can be leveraged to get some notion based on the detection rate, this will help you gauge whether these (samples tied to the signature) may or may not be False Positives.
- Once Signature Collision has been determined, placing an Antivirus Exceptions is advised. Customer may reach out to Palo Alto Support if its affecting a lot of users and wish for the signature to be re-evaluated.
Alternatively, the sha256 hash associated with the UTID matches the file triggering the signature in your environment, you may assess the following scenarios.
- For the case of false positive, please report incorrect verdict of the sample associated to the signature, (though it may be unlikely you have a readily available copy of the original sample), if the original sample was not available to report through the "report incorrect verdict' options, request the verdict change with Support.
- For the case of true positive, the recommendation is to place an Antivirus exception. (Reference "Antivirus Exceptions"). If an Antivirus exception was not appropriate (Palo Alto Networks evaluates if the sample is an environment-specific sample, or a widely popular file that affects a great number of customers) the case can be reported to Palo Alto Networks Support following the instructions in:
How to Use Anti-Spyware, Vulnerability and Antivirus Exceptions to Block or Allow Threats
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcrCAC