https://live.paloaltonetworks.com/t5/general-topics/custom-vulnerability-signature-to-block-older-versions-of-chrome/m-p/454081#M101424 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/176192">@CGirouard</a>,</P> <P>There's not a technical reason why your idea wouldn't work in theory. Keeping in mind that your triggering off of the User-Agent, and that this can be changed by a user, you would need to create a new vulnerability signature for each user-agent string you would want to actually block. You could use the pattern match to block older major versions, but you wouldn't likely do this down to a maintenance release.&nbsp;</P> <P>&nbsp;</P> <P>As a suggestion, if you manage these endpoints you could use something like AppLocker to block the execution of outdated versions of Chrome very easily through group policy. This would be a lot less overhead and would't be easy to bypass like a User-Agent pattern match signature would be.&nbsp;</P> Fri, 17 Dec 2021 22:50:57 GMT BPry 2021-12-17T22:50:57Z https://live.paloaltonetworks.com/t5/general-topics/custom-vulnerability-signature-to-block-older-versions-of-chrome/m-p/453939#M101403 <P>After reviewing this KB article:&nbsp;</P><P>&nbsp;</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSOCA0" target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSOCA0</A></P><P>&nbsp;</P><P>It looks like you can create custom vulnerability signatures for named browsers.&nbsp;</P><P>&nbsp;</P><P>Could you also do that to limit browser access via a security policy based on a minimum version number?</P><P>&nbsp;</P><P>For example: create a vulnerability signature that identify any traffic via Chrome where it's version is older than v96.&nbsp;</P><P>&nbsp;</P><P>Also, for this to be effective, we'd to enable SSL decryption since the agent string is encrypted, correct?</P> Fri, 17 Dec 2021 14:21:11 GMT https://live.paloaltonetworks.com/t5/general-topics/custom-vulnerability-signature-to-block-older-versions-of-chrome/m-p/453939#M101403 CGirouard 2021-12-17T14:21:11Z https://live.paloaltonetworks.com/t5/general-topics/custom-vulnerability-signature-to-block-older-versions-of-chrome/m-p/454081#M101424 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/176192">@CGirouard</a>,</P> <P>There's not a technical reason why your idea wouldn't work in theory. Keeping in mind that your triggering off of the User-Agent, and that this can be changed by a user, you would need to create a new vulnerability signature for each user-agent string you would want to actually block. You could use the pattern match to block older major versions, but you wouldn't likely do this down to a maintenance release.&nbsp;</P> <P>&nbsp;</P> <P>As a suggestion, if you manage these endpoints you could use something like AppLocker to block the execution of outdated versions of Chrome very easily through group policy. This would be a lot less overhead and would't be easy to bypass like a User-Agent pattern match signature would be.&nbsp;</P> Fri, 17 Dec 2021 22:50:57 GMT https://live.paloaltonetworks.com/t5/general-topics/custom-vulnerability-signature-to-block-older-versions-of-chrome/m-p/454081#M101424 BPry 2021-12-17T22:50:57Z