What is a signature collision?

What is a signature collision?

Palo Alto Networks firewall
Antivirus inspection

Benign samples can trigger signatures that have been originally created for a different 'malware verdict' sample.

1. This is due to the fact that the Benign sample may contain the exact same byte values in the same byte offsets than a previously 'Malicious verdict' sample for which a pattern-based signature was produced. When this occurs, this is known as a signature collision.

On the contrary, signature matched the sha256 hash has a malicious verdict on the sample that originally produced the signature can either be a

1. False positive (a true benign file received a malware verdict) or
2. True positive (a true malware file received a malware verdict)

 

The first step is to make sure that you are running the latest Antivirus and WildFire signature packages in Dynamic Updates, and that the proper schedule to download-and-install is configured. The recommended Dynamic Update update check frequencies are hourly for Antivirus, and Every minute for WildFire (or Real time if running PAN-OS >= 10.0).

Then, search in Threat Vault for the Unique Threat ID (UTID) identified in the firewall's Threat log, and find the sha256 hashes associated to the signature. The hash listed in threatvault associated with the UTID is to be compared with the file that's triggering the signature in your environment. 

Wildfire report or third party site (such as VirusTotal) can be leveraged to get some notion based on the detection rate, this will help you gauge whether these (samples tied to the signature) may or may not be False Positives. 

1. Once Signature Collision has been determined, placing an Antivirus Exceptions is advised. Customer may reach out to Palo Alto Support if its affecting a lot of users and wish for the signature to be re-evaluated. 

Alternatively, the sha256 hash associated with the UTID matches the file triggering the signature in your environment, you may assess the following scenarios.

1. For the case of false positive, please report incorrect verdict of the sample associated to the signature, (though it may be unlikely you have a readily available copy of the original sample), if the original sample was not available to report through the "report incorrect verdict' options, request the verdict change with Support.
2. For the case of true positive, the recommendation is to place an Antivirus exception. (Reference "Antivirus Exceptions"). If an Antivirus exception was not appropriate (Palo Alto Networks evaluates if the sample is an environment-specific sample, or a widely popular file that affects a great number of customers) the case can be reported to Palo Alto Networks Support following the instructions in:

How to Use Anti-Spyware, Vulnerability and Antivirus Exceptions to Block or Allow Threats

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcrCAC

You can identify Signature collisions in the WildFire Submission Logs by:

1. Enable WildFire Benign and Grayware Reporting .
2. Query the WildFire Submission Logs using Display Filter: (( verdict eq benign ) and ( action eq block ))