topic Re: PA File Detection seems not working right in General Topics

PA File Detection seems not working right

mhuels — Wed, 08 Jun 2011 14:42:49 GMT

PA claims to detect several DOS and Windows executable filetypes. The following filetypes are partially not really executables, but i am wondering that PA ignores (do not show any log) the types totally. (Nevertheless some of the filetypes are potentially really harmfull).

I found the following behaviour of our Palo Alto Firewall (we tested with mail-attachements)

Filetype	Palo Alto Detection
tlb	no detection
sys	no detection
wsc	no detection
bin	no detection
vxd	no detection
exe	ok
scf	no detection
cmd	detection only with file ending ".cmd"
drv	ok
com	ok
cpl	ok
vbs	no detection
scr	ok
dll	ok
ocx	ok
reg	no detection

Re: PA File Detection seems not working right

dyang — Wed, 08 Jun 2011 20:40:21 GMT

Hello,

I'm assuming you're referring to the file types that we can block via file filtering, correct? You can find the full list of supported file type signatures here:

https://live.paloaltonetworks.com/docs/DOC-1783

If there is a file type that you'd like to see added, please contact your SE and have them file an enhancement.

Thanks,

Doris

Re: PA File Detection seems not working right

mhuels — Thu, 09 Jun 2011 12:13:53 GMT

Hi Doris,

PA explicitely declares that they are able to detect the file type "sys" or "reg". But it does not detect this file types, if they are in a mail attachment. Additionally, it should be possible to detect filetypes like "vxd", if PA tries to keep their customer free from potentially harmfull files. Third, it is not a good work, if the PA detects the file type "cmd" only, if the file name ends with ".cmd".

regards

Manfred

Re: PA File Detection seems not working right

mhuels — Thu, 09 Jun 2011 12:39:04 GMT

Possibly it would be better to log all the unknown files as "unknown files" than to conceal it.

Re: PA File Detection seems not working right

dyang — Fri, 10 Jun 2011 00:33:45 GMT

Hi Manfred,

When attempting to detect .sys and .reg files in a mail attachment, did you also have an SSL policy setup to decrypt the traffic? Or are you testing all file types in the same manner and only .sys and .reg files were not being properly detected?

Generally speaking, our file signatures are based on the unique characteristics of each file, not just on the file extension itself. If you're experiencing an issue with .cmd files, please open a support case so we can investigate further.

--Doris

Re: PA File Detection seems not working right

mhuels — Fri, 10 Jun 2011 11:11:10 GMT

Hi Doris,

we tested all the mail attachements with one rule. So in this kind of "file blocking" rule, all executables (so called PE files in PA speek = PE -Microsoft Windows Portable Executable (exe, dll, com, scr, ocx, cpl, sys, drv, tlb)) should be detected. The mails were not encrypted, least of all not with SSL. The communication port was tcp 25 = normal emailexchange between a german freemailer and our mailserver. PA detects correctly the application "smtp" in this data exchange. Exe, dll, com, scr, ocx, cpl, drv were detected correctly, sys and tlb were not detected.

The relating rule simple says: alert all data files - please look at the attached gif. So a reg or a cmd file should be detected too. But the reg files was detected never, and the cmd file was only detected, if the filename ends with "*.cmd".

What makes me very unhappy is, that there is no file logging, although we haved attached some files at an email. In my humble opinion is an attachement very easy to detect, so why did i got no log entry?

The PA art of security seems not to be sufficiently in another point of email communication. If i send an email with javascript in his data body, there is no method in PA to detect and block this code (i tried several data patterns in file blocking or data filtering rules and self designed applications or vulnerabilities). Other security engines like mcafee/webwasher or finjan are able to block such code.

Manfred

Re: PA File Detection seems not working right

dyang — Tue, 21 Jun 2011 00:50:54 GMT

Hi Manfred,

Apologies for the delay. As it turns out, you are correct - our .cmd signature is based on file extension only, as there was no other way for us to create one based on other patterns. As for your issues with .reg files, these should be detected properly. Can you comment on what content and PAN-OS version you're using?

--Doris

Re: PA File Detection seems not working right

mhuels — Wed, 22 Jun 2011 16:21:13 GMT

Hi Doris,

we are updating our PAN application knowledgecontent allways shortly after it will be delivered. So the phenome occurs on all content, i guess (if i do understand your question correctly). Our OS is 3.1.8 and will be updated to 4.0.3 next week.

ciao

Manni

Re: PA File Detection seems not working right

dyang — Wed, 22 Jun 2011 18:26:19 GMT

Thanks for your continued patience, Manni. I'll see what I can find.

Re: PA File Detection seems not working right

dyang — Thu, 23 Jun 2011 01:40:53 GMT

Manni,

There shouldn't be a problem with 3.1.8. Can you open a support ticket and include a PCAP and/or a sample of the file in question so we can take a closer look?

--Doris