all PDF Files detected by ATP

We have an external partner (salesforce platform) who always sends us an faktura in a PDF. all PDF files have been filtered by ATP since yesterday. Are there problems with ATP or how can I define an exception for this transmitter. I cannot put the file into an exception with the MD5. It's a different file every time.

Does anyone have an idea?

case 01387379 opened, but nobody cares :-(

Comments

  • ... today I checked my logs and see the same behavior with all other senders with PDF attachments.
    Does anyone else see this behavior?

  • RalphRalph WatchGuard Representative

    Hello Mike,

    The "invoices" link inside the PDF was identified as a malicious URL. Fake invoices with phishing links are super common.

    Let us know if you see any others...The sample you submitted was reclassified as benign.

  • Hello, I restarted and waited. The problem persists. i see same problem on any other pdf files.

  • RalphRalph WatchGuard Representative

    Hello Mike,

    Could I get you to grab the md5: and the task_uuid: from the logs...

  • Hello Ralph,

    md5: 89e8aef291ba8f41d5b797f644033ccf
    task_uuid: 65bd666df93f00201083858111e7c9f8

    Thanks Mike

  • RalphRalph WatchGuard Representative

    Thanks Mike,

    That one was picked up yesterday as malicious because of that "invoices" link inside the file. Wondering if the Privacy popup with custom privacy options is tripping this.

    Do you have logs from day ? I'd like to get a more recent task_uuid to eliminate local AV cache.

  • Hello Ralph, yes it is from today.

    Here new uuid and md5 now generated

    md5: 89e8aef291ba8f41d5b797f644033ccf
    task_uuid: 65bd666df93f00201083858111e7c9f8

  • RalphRalph WatchGuard Representative

    Ok, thanks Mike. Looks like the result might be coming from the local AV cache given it's the same task ID.

    Try clearing it from the CLI: cache-flush scan

    I had the file re-analyzed and it's definitely benign.

    The file 89e8aef291ba8f41d5b797f644033ccf was found to be BENIGN.

  • Hello Ralph,
    its crazy. I wait a night. reboot both cluster boxes, flushed the cache.

    Same procedure :-)

  • RalphRalph WatchGuard Representative

    Hello Mike,

    Thanks for testing. There's always a reason for everything :)

    I'm looking into this. There must be a disconnect somewhere with getting the info out of the service.

  • RalphRalph WatchGuard Representative

    Hello Mike,

    Ok, I figured this out. There's a data discrepancy between NA and EMEA analyst data. We're getting the vendor to investigate....I'll keep you posted

  • Hello Ralph, many thanks for information!

Sign In to comment.