https://live.paloaltonetworks.com/t5/advanced-threat-prevention/spyware-with-dns-protection/m-p/333566#M856 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/34186">@mivaldi</a>,</P><P>That's good ideas. I have a rules for blocked APT with malware url. Threat stopped when i disabled it.</P><P>&nbsp;</P><P>So many thanks</P><P>Khai&nbsp;</P> Tue, 16 Jun 2020 02:06:20 GMT Khai-Huynh 2020-06-16T02:06:20Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/spyware-with-dns-protection/m-p/331261#M840 <P>Hi All,</P><P>Our Firewall drop DNS traffic of C&amp;C (&nbsp;us.jaxonsorensen.club, news.sqllitlerver.info &amp; log.osloger.biz) with source IP Address of Firewall. This issue after update the Threat 28/05/2020.&nbsp;</P><P>&nbsp;</P><P><SPAN>Will appreciate any help/suggestions.</SPAN></P><P>&nbsp;</P><P><SPAN>Best regards,</SPAN></P><P><SPAN>Khai</SPAN></P><P>&nbsp;</P> Wed, 03 Jun 2020 05:00:35 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/spyware-with-dns-protection/m-p/331261#M840 Khai-Huynh 2020-06-03T05:00:35Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/spyware-with-dns-protection/m-p/331430#M842 <P>This can be caused by the firewall running DNS proxy, or attempting to fill out the IP information in pre-defined threat reports. Check your Threat logs to see if these domains have been observed, and verify the threat reports to see if any generated reporting the malicious domain findings.</P> Wed, 03 Jun 2020 16:22:44 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/spyware-with-dns-protection/m-p/331430#M842 mivaldi 2020-06-03T16:22:44Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/spyware-with-dns-protection/m-p/331546#M844 <P>Thanks Mivaldi,</P><P>The problem here, I didn't configuration about the DNS Proxy. I checked all host in our network nothing query to spyware DNS. Only Firewall Palo alto request.</P><P>&nbsp;</P><P>Thanks,</P><P>Khai</P> Thu, 04 Jun 2020 02:11:58 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/spyware-with-dns-protection/m-p/331546#M844 Khai-Huynh 2020-06-04T02:11:58Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/spyware-with-dns-protection/m-p/331662#M845 <P>Check your URL Filtering logs.</P> Thu, 04 Jun 2020 16:51:15 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/spyware-with-dns-protection/m-p/331662#M845 mivaldi 2020-06-04T16:51:15Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/spyware-with-dns-protection/m-p/333315#M851 <P>&nbsp;</P><P>I tested these and see that PA blocks them under threat as type spyware.</P><P>Source address is my PC and it is working as expected as i have dns sinkhole configured.</P><P>&nbsp;</P><P>You will not see any traffic for these sites under url as it sinkholed.</P> Sat, 13 Jun 2020 18:47:45 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/spyware-with-dns-protection/m-p/333315#M851 MP18 2020-06-13T18:47:45Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/spyware-with-dns-protection/m-p/333530#M853 <P><SPAN style="font-family: inherit;"><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/75039">@MP18</a>&nbsp;I think you got lost in the train of thought.&nbsp;</SPAN><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/138704">@Khai-Huynh</a><SPAN style="font-family: inherit;">&nbsp;is saying that the DNS sinkhole actions are showing up for traffic where the firewall management IP is the source of the DNS queries.&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/138704">@Khai-Huynh</a>&nbsp;is hinting that the firewall could be compromised since there should not be a reason for it to source queries to malicious domains. What I am saying here is that this is not a sign of a compromised firewall, since queries to malicious domains may happen when the firewall generates Threat Reports. Some of these threat reports are based on URL Filtering malware category detections (for example), and the firewall will source a DNS query to fill out IP address information in the Threat Reports (that may subsequently get caught in the Anti-Spyware DNS profile).</SPAN></P> Mon, 15 Jun 2020 20:43:26 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/spyware-with-dns-protection/m-p/333530#M853 mivaldi 2020-06-15T20:43:26Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/spyware-with-dns-protection/m-p/333566#M856 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/34186">@mivaldi</a>,</P><P>That's good ideas. I have a rules for blocked APT with malware url. Threat stopped when i disabled it.</P><P>&nbsp;</P><P>So many thanks</P><P>Khai&nbsp;</P> Tue, 16 Jun 2020 02:06:20 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/spyware-with-dns-protection/m-p/333566#M856 Khai-Huynh 2020-06-16T02:06:20Z