https://live.paloaltonetworks.com/t5/general-topics/malware-site-blocking-94-102-55-20/m-p/25717#M18745 <HTML><HEAD></HEAD><BODY><P>Hello forum, </P><P></P><P>I am seeing traffic to a particular IP address from one computer that I know has been infected with a virus (we're busy getting rid of it). The connection is SSL and we are about to implement SSL decryption on our Palo, just not this second. The hoster of the IP address is Ecatel who are synonymous with with malwares. We have a valid license for threat, url, av which is uptodate on the box. I am wondering why it's not being blocked as dangerous even though our security profiles are basically set to block for anything 'medium' and higher. Because it's SSL it's not being categorised which isn't helpful - is that the reason why it's not being stopped? Brightcloud list it as unsafe. Any ideas of how to get a block on this that is more dynamic than just that one IP address (that might change) would be great. </P><P></P><P>Destination is 94.102.55.20</P><P></P><P>Can post more info if you need, </P><P></P><P>Thanks, </P><P>NC</P></BODY></HTML> Thu, 04 Oct 2012 11:06:21 GMT Conde01 2012-10-04T11:06:21Z https://live.paloaltonetworks.com/t5/general-topics/malware-site-blocking-94-102-55-20/m-p/25717#M18745 <HTML><HEAD></HEAD><BODY><P>Hello forum, </P><P></P><P>I am seeing traffic to a particular IP address from one computer that I know has been infected with a virus (we're busy getting rid of it). The connection is SSL and we are about to implement SSL decryption on our Palo, just not this second. The hoster of the IP address is Ecatel who are synonymous with with malwares. We have a valid license for threat, url, av which is uptodate on the box. I am wondering why it's not being blocked as dangerous even though our security profiles are basically set to block for anything 'medium' and higher. Because it's SSL it's not being categorised which isn't helpful - is that the reason why it's not being stopped? Brightcloud list it as unsafe. Any ideas of how to get a block on this that is more dynamic than just that one IP address (that might change) would be great. </P><P></P><P>Destination is 94.102.55.20</P><P></P><P>Can post more info if you need, </P><P></P><P>Thanks, </P><P>NC</P></BODY></HTML> Thu, 04 Oct 2012 11:06:21 GMT https://live.paloaltonetworks.com/t5/general-topics/malware-site-blocking-94-102-55-20/m-p/25717#M18745 Conde01 2012-10-04T11:06:21Z https://live.paloaltonetworks.com/t5/general-topics/malware-site-blocking-94-102-55-20/m-p/25718#M18746 <HTML><HEAD></HEAD><BODY><P>Hi NC,</P><P></P><P><SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;">If you think the firewall did not capture a valid threat, you can submit a pcap from the client PC and the related traffic logs by opening a support ticket and we can hand it over to threat team for validation.</SPAN></P><P><SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;">Also in the ticket description if you can give a brief description of threat.</SPAN></P><P>Here is the document on how you to collect the data&nbsp; ( threat log details collection in the doc below would not apply in your case)</P><P><A _jive_internal="true" class="active_link" href="https://live.paloaltonetworks.com/docs/DOC-2769">https://live.paloaltonetworks.com/docs/DOC-2769</A></P><P></P><P>Regards</P><P>Parth</P></BODY></HTML> Thu, 04 Oct 2012 18:20:48 GMT https://live.paloaltonetworks.com/t5/general-topics/malware-site-blocking-94-102-55-20/m-p/25718#M18746 ppatel 2012-10-04T18:20:48Z https://live.paloaltonetworks.com/t5/general-topics/malware-site-blocking-94-102-55-20/m-p/25719#M18747 <HTML><HEAD></HEAD><BODY><P>You said that this is an SSL site. How are you trying to block this ? Are you using URL filtering to block malware-sites category ? If that is the case then we should be blocking it based on the SSL certificate common name. I also see that you are using the antivirus profiles to block this virus then you have to go for SSL decryption option. Please share some information on what is the website URL, how you are trying to block this (Antivirus or URL filtering). </P><P></P><P>Thanks,</P><P>Sandeep</P></BODY></HTML> Thu, 04 Oct 2012 19:06:30 GMT https://live.paloaltonetworks.com/t5/general-topics/malware-site-blocking-94-102-55-20/m-p/25719#M18747 sdurga 2012-10-04T19:06:30Z