Why are disabled signatures (WildFire-Virus) getting triggered in PAN-OS 10.0 and above?

• Sometimes you notice that a WildFire-Virus signature for Threat IDs that have been disabled/replaced has been triggered:

• In this case, signature 426577974 has been disabled:

Note:  Please note that "n/a" on Threat Vault does not always mean that the signature was disabled, e.g. it could be "replaced". Please refer to the following KB for more detail.
What is the meaning of "Current Release: n/a" on ThreatVault?
 

• The Dynamic Update schedule for the WildFire signatures (Device > Dynamic Update > WildFire) is not set as 'Real-time'.

This was happening because of an issue (PAN-182689) because of which a signature from a previous WildFire package triggered malware detection even though the signature was no longer present in the current WildFire package.

PAN-182689 was fixed in PAN-OS 10.1.10 and 10.2.3, so upgrading the firewalls to any of those versions or above will fix the issue, below are the links to release notes:

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-release-notes/pan-os-10-1-10-known-and-addressed-issues/pan-os-10-1-10-addressed-issues
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-release-notes/pan-os-10-2-3-known-and-addressed-issues/pan-os-10-2-3-addressed-issues

Follow the below workarounds if you are in an affected version and are not ready to upgrade:

Workarounds:

Please change the WildFire signature update schedule as "Real-time' and then this issue should be resolved. Here is how the configuration looks like.

If this doesn't resolve the issue, please "delete" the entry from the cache. See below KB for more detail.
How to configure a WildFire Real-Time signature exception

Wildfire Cloud verdict is benign but still receiving Malware verdict alerts