topic Suspicious Code in GIF File Detection - Logic of Detection in Next-Generation Firewall Discussions

Suspicious Code in GIF File Detection - Logic of Detection

boy_pugante — Thu, 19 Jan 2023 06:20:01 GMT

Good Day Team!

I hope You are all doing well!

We have a detection re: a remote ip attempting to connect to a certain server which hit the rule Suspicious Code in GIF File Detection.

We have blocked the ip, however, the detection has:

Threat Category: downloader

PA Subtype (custom): spyware

wherein we are currently in a dilemma if the former remediation is enough due to the lesser knowledge of the

logic of the Suspicious Code in GIF File rule.

Does this detection (Suspicious Code in GIF File):

- Scans/Detect network traffic, or

- it scans file.

Please kindly let me know if You have any questions or clarification of this inquiry.

Thank You!

Re: Suspicious Code in GIF File Detection - Logic of Detection

nikoolayy1 — Tue, 31 Jan 2023 21:09:28 GMT

As this seems blocked by the spyware profile that together with the vunrability profile is network based (wildfire and the antivirus profiles are file based) it is more a network traffic than a file scan as GIF is also not supported for wildfire scans.

https://docs.paloaltonetworks.com/wildfire/9-1/wildfire-admin/wildfire-overview/wildfire-concepts/file-analysis

In the future maybe this can also be blocked as a file with advanced wildfire but for now it seems like a network signature.

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/content-inspection-features/vuln-protection-inline-cloud-analysis

Re: Suspicious Code in GIF File Detection - Logic of Detection

boy_pugante — Sat, 11 Feb 2023 11:17:55 GMT

Good Day Sir!

Thank You for Your immediate and kind response!

Indeed, per our further checking and re-analysis this is a network based, although per Our discussion this could be on the gray area due to some difficulties, we have somehow narrowed and remediated this issue.

Hoping to hear again from You soon!

Regards,

Boy Pugante