topic Re: Decrypt STARTTLS SMTP protocol but not blocked Virus File in General Topics

Decrypt STARTTLS SMTP protocol but not blocked Virus File

Hogewo — Wed, 31 Jul 2024 04:34:55 GMT

The mail server resides on the network inside PaloAlto.
I am trying to add a feature to use STARTTLS for SMTP/25 from the mail server to the Internet.

I implemented STARTTLS decryption (Forward Proxy) on the PaloAlto and sent an email with Eicar Virus to the Internet via the mail server and it was sent without being blocked.

The PaloAlto threat log shows that the Virus is recognized and the Action shows “reset-both”, but it is not actually blocked.

As a test, I disabled STARTTLS on the mail server, and the mail with Eicar was blocked. (However, this time it was simply TCP RESET, not the 541 code, so we recognize this as a problem as well.)

What do you think is the cause?

Re: Decrypt STARTTLS SMTP protocol but not blocked Virus File

Hogewo — Wed, 31 Jul 2024 04:48:35 GMT

PAN-OS version is 10.2.9-h1 .

Re: Decrypt STARTTLS SMTP protocol but not blocked Virus File

Hogewo — Mon, 30 Sep 2024 00:29:11 GMT

After contacting the PaloAlto Support team, it was determined that this phenomenon is a PAN-OS issue.
At this time, PaloAtlo continues to send SMTP emails using STARTTLS communication even after malware/viruses have been detected.

PaloAlto is currently working on a patch to correct this issue.