All things Palo Alto Networks

  • Blog

  • Forum

  • Members

  • More

    Use tab to navigate through the menu items.
    To see this working, head to your live site.
    • Categories
    • All Posts
    • My Posts
    sahul.hameed
    Nov 30, 2020

    Hash Value not detected by Palo Alto Engine

    in General discussion

    Hi Team,


    I just want to know why the below mentioned Hash value is not detected in our Palo Alto Engine as a malicious file type.


    But at the same time on the Virus Total we are able to see some of the engines are detected it as malicious.


    Please review the below mentioned HASH value and share me with your thoughts on this.


    MD5 HASH Details:

    b66be2f7c046205b01453951c161e6cc

    46b318bbb72ee68c9d9183d78e79fb5a

    b3efec620885e6cf5b60f72e66d908a9

    d790997dd950bb39229dc5bd3c2047ff

    58bb2236e5aee39760d3e4fc6ee94a79


    VirusTotal Results:


    Result of 1st Hash Value --> VirusTotal

    Result of 2nd Hash Value --> VirusTotal

    Result of 3rd Hash Value --> VirusTotal

    Result of 4th Hash Value --> VirusTotal

    Result of 5th Hash Value --> VirusTotal


    Please review on the given information and let us know on why Palo Alto Networks Engine not detected this file type and unable to give the verdict in ThreatVault.


    Best Regards,

    Sahul Hameed




    4 comments
    0
    4 Comments
    R
    Reaper
    Nov 30, 2020

    Hi Sahul


    That's hard to say. What are you seeing in the logs? Are the files being intercepted but is the verdict reported as benign?


    If you have a sample of the actual files, you could upload them to the Upload Sample-WildFire Portal to see what the verdict is.


    If WildFire is turning up benign, you may want to reach out to Palo Alto TAC to report this issue

    Like
    sahul.hameed
    Nov 30, 2020
    Replying to

    Hi -- Thanks for your response.


    What is my query is that, We have received a report from one of the Vendor stating that with a list of Hash value's. Since all this are Malicious file type Hashes and need to take preventive action on our end.


    So when we cross checked all the given Hash value by the Vendor on both VirusTotal and ThreatVault. We end up with some of the Hash value are not having an active WildFire/AntiVirus signature but at the same time in Virus Total that hash is detecting it as a *Malicious*.


    My question here is, why for the same Hash value VirusTotal is giving this verdict as Malicious and ThreatVault isn't show it as Malware and also no AntiVirus Signature. Because of this we have bit curious on how to take preventive action for the earlier mentioned Hash Value's on our Firewall. Hope you got my query now I suppose.


    Best Regards,

    Sahul Hameed

    Like
    R
    Reaper
    Nov 30, 2020
    Replying to

    There could be several reasons that the hash is not included in ThreatVault: the files may not have been 'seen' by any WildFire enabled devices, hence no verdict is available.

    They could have been rolled up into a different/generic signature that covers the trojans but is not listed as the hash, since the hash is only used (by WildFire) to identify a specific file, but the same trojan may be injected into many different files.


    for a conclusive answer on your question I would recommend reaching out to Palo TAC as they can check their backend servers to see if this file is identified differently, or is missing


    hope this helps

    Like
    sahul.hameed
    Nov 30, 2020
    Replying to

    @Reaper Yes, Thanks for your effort on this.


    Will reach out to PA TAC for further analysis.


    Best Regards,

    Sahul Hameed

    Like
    4 comments
    Similar Posts
    • Palo Alto released multiple security patches.
    • palo alto hip data collection best practices
    • palo alto CLI vulnerability protection profile exception
     
    • Mastering Palo Alto Networks
    • PANgurus LinkedIn

    Subscribe Form

    Privacy Policy

    Terms of use

    ©2020 by PANgurus.