The VSA Domain Deployment process from the Probe process triggers A/V blocking with PaloAlto Firewall.  This is due to the thumb-printing of the the network service over tcp/445.  

With Agent 9.5.0.13, it was detected as this:

Signature
Release
Hashesmd5sha1sha256

Name: Virus/Win32.WGeneric.afrjql

Unique Threat ID: 305850819

Create Time: 2019-09-28 23:49:38 (UTC)

Threat ID: n/a

Current Release: n/a

First Release: 3118 (2019-09-30 UTC)

b3a21ed08be664210229d757e8777016a09c796d7d64355597b17

99240b9198b80acbc285ef48c44d04a00931cb7b25545aea591320

8b0c742a67c27df3aeeeb6e1cb2827b2514448d7fc996bd6105c7e

1c534c17e333921f376392a40ea1eafb673162eda5b19525f74659

0564ffbdb0ee71c36deca148171d0b156ee021857b2ca6003ee658

3d4d95926579606b16533daed494a32be33bfb560d61e571116

Now, with 9.5.0.14, the blocking begain and now we get this:

Signature
Release
Hashesmd5sha1sha256

Name: Virus/Win32.WGeneric.agopmo

Unique Threat ID: 313716504

Create Time: 2019-11-10 08:06:19 (UTC)

Threat ID: 2600841

Current Release: 3160 (2019-11-11 UTC)

First Release: 3160 (2019-11-11 UTC)

3944d140c5ec4859aad1e7485a100aaf6

7cc7566091ffde045503686efa6423be1c

ffc6a5fedc55167982e01dc0daeeb49803

c0b6ad30f23b84096ea3a780e816762c6

1aa337e520bcc4e2de3c7ef4495c90cc6c

9d6954b13bcf4935ae262ea5cb787f4b6aa

9e6ae57803a8d5bc5783b

You have to make an exception in the A/V policy to allow deployment to work.  I hate this, as its a bit of work to make sure it's only a granular exception and that a real virus with the same signature is not allowed to propagate the network.