To see this working, head to your live site.

Hash Value not detected by Palo Alto Engine

Hi Team,

I just want to know why the below mentioned Hash value is not detected in our Palo Alto Engine as a malicious file type.

But at the same time on the Virus Total we are able to see some of the engines are detected it as malicious.

Please review the below mentioned HASH value and share me with your thoughts on this.

MD5 HASH Details:

b66be2f7c046205b01453951c161e6cc

46b318bbb72ee68c9d9183d78e79fb5a

b3efec620885e6cf5b60f72e66d908a9

d790997dd950bb39229dc5bd3c2047ff

58bb2236e5aee39760d3e4fc6ee94a79

VirusTotal Results:

Result of 1st Hash Value --> VirusTotal

Result of 2nd Hash Value --> VirusTotal

Result of 3rd Hash Value --> VirusTotal

Result of 4th Hash Value --> VirusTotal

Result of 5th Hash Value --> VirusTotal

Please review on the given information and let us know on why Palo Alto Networks Engine not detected this file type and unable to give the verdict in ThreatVault.

Best Regards,

Sahul Hameed

4 comments

Comments (4)

Reaper

Nov 30, 2020

Hi Sahul

That's hard to say. What are you seeing in the logs? Are the files being intercepted but is the verdict reported as benign?

If you have a sample of the actual files, you could upload them to the Upload Sample-WildFire Portal to see what the verdict is.

If WildFire is turning up benign, you may want to reach out to Palo Alto TAC to report this issue

sahul.hameed

Nov 30, 2020

Replying to

Hi -- Thanks for your response.

What is my query is that, We have received a report from one of the Vendor stating that with a list of Hash value's. Since all this are Malicious file type Hashes and need to take preventive action on our end.

So when we cross checked all the given Hash value by the Vendor on both VirusTotal and ThreatVault. We end up with some of the Hash value are not having an active WildFire/AntiVirus signature but at the same time in Virus Total that hash is detecting it as a *Malicious*.

My question here is, why for the same Hash value VirusTotal is giving this verdict as Malicious and ThreatVault isn't show it as Malware and also no AntiVirus Signature. Because of this we have bit curious on how to take preventive action for the earlier mentioned Hash Value's on our Firewall. Hope you got my query now I suppose.

Best Regards,

Sahul Hameed

Reaper

Nov 30, 2020

Replying to

There could be several reasons that the hash is not included in ThreatVault: the files may not have been 'seen' by any WildFire enabled devices, hence no verdict is available.

They could have been rolled up into a different/generic signature that covers the trojans but is not listed as the hash, since the hash is only used (by WildFire) to identify a specific file, but the same trojan may be injected into many different files.

for a conclusive answer on your question I would recommend reaching out to Palo TAC as they can check their backend servers to see if this file is identified differently, or is missing

hope this helps

sahul.hameed

Nov 30, 2020

Replying to

@Reaper Yes, Thanks for your effort on this.

Will reach out to PA TAC for further analysis.

Best Regards,

Sahul Hameed

Forum: Forum