https://live.paloaltonetworks.com/t5/prisma-access-discussions/prisma-access-explicit-proxy-anti-spyware-behavior-when-dns/m-p/1248662#M1278 <P><SPAN data-teams="true">Attention: JAPAC TPM Team</SPAN><BR /><SPAN>Hello Team,</SPAN></P> <P>&nbsp;</P> <P><SPAN>I have a question about the Anti-Spyware profile behavior in a Prisma Access (Explicit Proxy) environment.<BR /></SPAN></P> <P>&nbsp;</P> <P><SPAN><STRONG>Scenario</STRONG><BR />- Clients use Explicit Proxy to reach Prisma Access for web traffic.<BR />- DNS resolution does not traverse Prisma Access (it is resolved by a local resolver / another path).<BR />- An Anti-Spyware profile is attached to the relevant security policy.<BR />- SSL decryption: enabled/disabled (please advise if this matters in this scenario).<BR /></SPAN></P> <P>&nbsp;</P> <P><SPAN><STRONG>Questions</STRONG><BR />1. When client DNS queries do not traverse Prisma Access, is it correct that Anti-Spyware detections would rely on payload-based signatures (and not DNS signatures / sinkhole)?<BR />2. In such a case, should detections appear in the Threat log with subtype: spyware? Is there any difference in the logging behavior compared to DNS signature/sinkhole events?<BR />3. I couldn’t find an official knowledge base article that specifically tests this scenario. Is there a recommended test methodology to validate Anti-Spyware behavior with Explicit Proxy when DNS is out‑of‑path?</SPAN></P> <P><SPAN><BR /><STRONG>Constraints</STRONG><BR />I currently don’t have access to a live traffic test environment, so any guidance, example steps, or references would be greatly appreciated.<BR /></SPAN></P> <P>&nbsp;</P> <DIV id="bodyDisplay" class="lia-message-body lia-component-message-view-widget-body lia-component-body-signature-highlight-escalation lia-component-message-view-widget-body-signature-highlight-escalation"> <DIV class="lia-message-body-content"> <DIV> <DIV> <P>Thank you in advance for your assistance.</P> </DIV> </DIV> </DIV> </DIV> <DIV class="lia-rating-metoo lia-component-me-too lia-component-message-view-widget-me-too"> <DIV class="RatingDisplay lia-component-ratings-widget-rating-display">&nbsp;</DIV> </DIV> Fri, 20 Feb 2026 08:45:20 GMT Imas4to 2026-02-20T08:45:20Z https://live.paloaltonetworks.com/t5/prisma-access-discussions/prisma-access-explicit-proxy-anti-spyware-behavior-when-dns/m-p/1248662#M1278 <P><SPAN data-teams="true">Attention: JAPAC TPM Team</SPAN><BR /><SPAN>Hello Team,</SPAN></P> <P>&nbsp;</P> <P><SPAN>I have a question about the Anti-Spyware profile behavior in a Prisma Access (Explicit Proxy) environment.<BR /></SPAN></P> <P>&nbsp;</P> <P><SPAN><STRONG>Scenario</STRONG><BR />- Clients use Explicit Proxy to reach Prisma Access for web traffic.<BR />- DNS resolution does not traverse Prisma Access (it is resolved by a local resolver / another path).<BR />- An Anti-Spyware profile is attached to the relevant security policy.<BR />- SSL decryption: enabled/disabled (please advise if this matters in this scenario).<BR /></SPAN></P> <P>&nbsp;</P> <P><SPAN><STRONG>Questions</STRONG><BR />1. When client DNS queries do not traverse Prisma Access, is it correct that Anti-Spyware detections would rely on payload-based signatures (and not DNS signatures / sinkhole)?<BR />2. In such a case, should detections appear in the Threat log with subtype: spyware? Is there any difference in the logging behavior compared to DNS signature/sinkhole events?<BR />3. I couldn’t find an official knowledge base article that specifically tests this scenario. Is there a recommended test methodology to validate Anti-Spyware behavior with Explicit Proxy when DNS is out‑of‑path?</SPAN></P> <P><SPAN><BR /><STRONG>Constraints</STRONG><BR />I currently don’t have access to a live traffic test environment, so any guidance, example steps, or references would be greatly appreciated.<BR /></SPAN></P> <P>&nbsp;</P> <DIV id="bodyDisplay" class="lia-message-body lia-component-message-view-widget-body lia-component-body-signature-highlight-escalation lia-component-message-view-widget-body-signature-highlight-escalation"> <DIV class="lia-message-body-content"> <DIV> <DIV> <P>Thank you in advance for your assistance.</P> </DIV> </DIV> </DIV> </DIV> <DIV class="lia-rating-metoo lia-component-me-too lia-component-message-view-widget-me-too"> <DIV class="RatingDisplay lia-component-ratings-widget-rating-display">&nbsp;</DIV> </DIV> Fri, 20 Feb 2026 08:45:20 GMT https://live.paloaltonetworks.com/t5/prisma-access-discussions/prisma-access-explicit-proxy-anti-spyware-behavior-when-dns/m-p/1248662#M1278 Imas4to 2026-02-20T08:45:20Z