Hi Team,
I just want to know why the below mentioned Hash value is not detected in our Palo Alto Engine as a malicious file type.
But at the same time on the Virus Total we are able to see some of the engines are detected it as malicious.
Please review the below mentioned HASH value and share me with your thoughts on this.
MD5 HASH Details:
b66be2f7c046205b01453951c161e6cc
46b318bbb72ee68c9d9183d78e79fb5a
b3efec620885e6cf5b60f72e66d908a9
d790997dd950bb39229dc5bd3c2047ff
58bb2236e5aee39760d3e4fc6ee94a79
VirusTotal Results:
Result of 1st Hash Value --> VirusTotal
Result of 2nd Hash Value --> VirusTotal
Result of 3rd Hash Value --> VirusTotal
Result of 4th Hash Value --> VirusTotal
Result of 5th Hash Value --> VirusTotal
Please review on the given information and let us know on why Palo Alto Networks Engine not detected this file type and unable to give the verdict in ThreatVault.
Best Regards,
Sahul Hameed
Hi Sahul
That's hard to say. What are you seeing in the logs? Are the files being intercepted but is the verdict reported as benign?
If you have a sample of the actual files, you could upload them to the Upload Sample-WildFire Portal to see what the verdict is.
If WildFire is turning up benign, you may want to reach out to Palo Alto TAC to report this issue
Hi -- Thanks for your response.
What is my query is that, We have received a report from one of the Vendor stating that with a list of Hash value's. Since all this are Malicious file type Hashes and need to take preventive action on our end.
So when we cross checked all the given Hash value by the Vendor on both VirusTotal and ThreatVault. We end up with some of the Hash value are not having an active WildFire/AntiVirus signature but at the same time in Virus Total that hash is detecting it as a *Malicious*.
My question here is, why for the same Hash value VirusTotal is giving this verdict as Malicious and ThreatVault isn't show it as Malware and also no AntiVirus Signature. Because of this we have bit curious on how to take preventive action for the earlier mentioned Hash Value's on our Firewall. Hope you got my query now I suppose.
Best Regards,
Sahul Hameed
There could be several reasons that the hash is not included in ThreatVault: the files may not have been 'seen' by any WildFire enabled devices, hence no verdict is available.
They could have been rolled up into a different/generic signature that covers the trojans but is not listed as the hash, since the hash is only used (by WildFire) to identify a specific file, but the same trojan may be injected into many different files.
for a conclusive answer on your question I would recommend reaching out to Palo TAC as they can check their backend servers to see if this file is identified differently, or is missing
hope this helps
@Reaper Yes, Thanks for your effort on this.
Will reach out to PA TAC for further analysis.
Best Regards,
Sahul Hameed