topic Re: block files with multiple level of compression in General Topics

block files with multiple level of compression

azwicker — Thu, 21 Mar 2013 09:46:05 GMT

I want to block all kind of compressed files with more than the support 2 levels of compressions. Is this possible?

Re: block files with multiple level of compression

mikand — Fri, 22 Mar 2013 21:47:43 GMT

You mean like an arj within a rar within a zip?

Re: block files with multiple level of compression

knarra1 — Fri, 22 Mar 2013 23:18:45 GMT

PAN performs a maximum of 2 levels of decompression

IPS Scanning of Compressed Files

Re: block files with multiple level of compression

azwicker — Wed, 27 Mar 2013 13:25:41 GMT

I know that the pa supports only 2 levels. My question was: Can i block files with more than 2 levels? In a test scenario, a exe file within a multiple zip file was not sent to wildfire.

Re: block files with multiple level of compression

azwicker — Wed, 27 Mar 2013 13:26:27 GMT

Manually unpacking the file und uploading the exe to wildfire revealed a 0day infected file.

Re: block files with multiple level of compression

VinceM — Wed, 27 Mar 2013 13:32:24 GMT

Be uploaded to wildfire only PE files. if more than 2 level of compression, file is seen as zip then no PE then no wildfire 🙂

In my mind not able to block file with more than two level of compression.

Re: block files with multiple level of compression

dyang — Wed, 27 Mar 2013 19:38:23 GMT

Hello,

You cannot block files with more than 2 levels of compression today. If you would like this functionality, please contact your SE to submit a feature request.

Thanks,

Doris

Re: block files with multiple level of compression

jwolach — Tue, 14 May 2013 12:40:31 GMT

So, I just did a test by FTPing a malicious .exe file that was compressed inside of a .ZIP. My Data Filtering log shows the action for the .PE file within the .ZIP as "forward" however, I did not receive anything from the Wildfire Cloud. Also, the Wildfire Portal has no entry for this file being uploaded.

Any insight as to why Wildfire did not receive the file that had the "forward" action?

Thanks,

Jeff

Re: block files with multiple level of compression

ericgearhart — Tue, 14 May 2013 12:44:58 GMT

We have seen the same issue... files that are apparently "forwarded" to WildFire never show up as malicious, even files that we know are malicious.

We have asked Palo Alto for a test .exe that we can send across the network and will always flag as malicious... another malware appliance we have does this exact thing (similar to the EICAR antivirus file you can test AV solutions with)

Re: block files with multiple level of compression

jwolach — Tue, 14 May 2013 12:52:34 GMT

What I do to get malicious files to test with Wildfire, is go to malc0de.com, go to the Tools menu and then click on "Search Malc0de Database". Then I type in .exe in the search window. This will pull up a list of files that are either malicious or at benign but, will actually trigger Wildfire actions on the PANW. I download that files to my Macbook so, they will not infect my machine. So far, so good for exercising Wildfire actions and the portal.

Re: block files with multiple level of compression

ericgearhart — Tue, 14 May 2013 13:17:31 GMT

Thanks for the tip! We actually had people from PA here yesterday and they weren't aware of your method

Re: block files with multiple level of compression

jwolach — Tue, 14 May 2013 13:47:16 GMT

I can't take full credit, I actually learned about malc0de.com from our local PAN SE. 🙂 I hope it works out for you.