topic Re: Antivirus Decoder Action in General Topics

Antivirus Decoder Action

mrsoldner — Wed, 24 Sep 2014 22:43:07 GMT

I feel silly asking this - wouldn't you want a deny on any decoder where a virus is detected rather than allowing the traffic and just throwing an alert?

Re: Antivirus Decoder Action

HULK — Wed, 24 Sep 2014 22:58:29 GMT

Hello mrsoldner,

As per my understanding, action is taken based on the different severity level of that virus. If that virus is having typically very little impact /or no impact on an organization's infrastructure. Then the action will be set to "alert".

Thanks

Re: Antivirus Decoder Action

jtyler — Wed, 24 Sep 2014 23:06:25 GMT

Setting a block for viruses on smtp will cause the originating server to keep trying to relay the email until a timeout occurs. This could potentially cause a lot of unwanted traffic pointed at your smtp server that is getting blocked over and over by the firewall. That may still be preferred to allowing a virus in via smtp, but it's just something to be aware of.

Re: Antivirus Decoder Action

HULK — Wed, 24 Sep 2014 23:17:57 GMT

Hello jtyler,

It's a good example.

Thanks

Re: Antivirus Decoder Action

mrsoldner — Wed, 24 Sep 2014 23:26:55 GMT

Is there somewhere that Virus severity is noted?

Re: Antivirus Decoder Action

mrsoldner — Wed, 24 Sep 2014 23:53:20 GMT

jtyler wrote:

Good point, I did some digging and found this: Threat Prevention Deployment Tech Note

It looks like some intelligence is built in for SMTP and will send back a 541 response so that the other side doesn't keep resending the email. POP and IMAP however don't have any intelligence built in. So, per the doc:

Note: The reason why SMTP, POP3 and IMAP have the default action set to ALERT is because in most cases there is

already a dedicated Antivirus gateway solution in place for these protocols. Specifically for POP3 and IMAP, it is not

possible to clean files or properly terminate an infected file-transfer in-stream without affecting the entire session.

This is due to shortcomings in these protocols to deal with this kind of situation.

Thanks for the help. I think we'll stick with the defaults for now and potentially ratchet up SMTP.

Re: Antivirus Decoder Action

hshah — Thu, 25 Sep 2014 00:25:43 GMT

Hello Mrsoldner,

Every virus signature has different severity. You can find that information from following link. Select type as a "virus".

https://threatvault.paloaltonetworks.com/

You need to feed either virus name or ID.

Regards,

Hardik Shah

Re: Antivirus Decoder Action

mrsold — Fri, 26 Sep 2014 16:52:17 GMT

hshah wrote:

Hello Mrsoldner,

Every virus signature has different severity. You can find that information from following link. Select type as a "virus".

https://threatvault.paloaltonetworks.com/

You need to feed either virus name or ID.

Regards,

Hardik Shah

Thanks hshah - I've never seen a severity included with a virus though which is why I'm puzzled. For example:

ID: 3088393

The threat vault just calls it a virus. It came in via SMTP (which by default, the action is alert) however in the logs it shows it was blocked.

Just making sure I fully understand.

Re: Antivirus Decoder Action

hshah — Fri, 26 Sep 2014 17:08:24 GMT

Hello Mrsold,

My bad, its vulnerability which has sev not anti-virus. Thanks for correcting me.

Regards,

Hardik Shah

Re: Antivirus Decoder Action

mrsold — Fri, 26 Sep 2014 17:12:44 GMT

HULK wrote:

Hello mrsoldner,

Thanks

HULK could you clarify? My antivirus decoder for SMTP is set to "alert" for WildFire and Threat however I am seeing Virus blocks for SMTP traffic.

Re: Antivirus Decoder Action

Retired Member — Fri, 26 Sep 2014 21:46:49 GMT

you use alert profile but you see block logs ? that is interesting.

Re: Antivirus Decoder Action

pulukas — Sat, 27 Sep 2014 11:59:25 GMT

Another reason the action may be set to alarm rather than deny as the default action is the possibility of false positives. Palo Alto is pretty good about only setting drop/reset actions to signatures are have virtually no false positives. You don't want to be blocking too many legitimate sessions.

The alarm option then can give you a report on suspects that can be researched and confirmed. If you subsequently find that virtually all the alarms are real then you have the option to change the action to a deny/reset instead of alarm.

Re: Antivirus Decoder Action

mrsoldner — Mon, 29 Sep 2014 12:19:03 GMT

panos wrote:

you use alert profile but you see block logs ? that is interesting.

Yeah, very interesting indeed. I need to do some more digging...

Re: Antivirus Decoder Action

mrsoldner — Mon, 29 Sep 2014 13:34:06 GMT

Yeah panos and HULK - Interesting indeed:

Av Profile:

Re: Antivirus Decoder Action

mrsoldner — Mon, 29 Sep 2014 22:25:44 GMT

So, If i'm reading this right - the attachment was blocked but the email allowed?

Re: Antivirus Decoder Action

dmaynard — Tue, 21 Oct 2014 15:39:38 GMT

Hello mrsoldner,

I was able to confirm couple of things.

- mrsoldner hitting Bug# 57763

- workaround is to define explicit "alert" instead of "default(alert)" for WF Action

- permanent fix is in PanOS 5.0.10

Regards,

David

Re: Antivirus Decoder Action

mr.linus — Tue, 31 Mar 2015 14:04:23 GMT

Hey

Some more information on why default action is set to alert for POP3, IMAP and SMTP instead of block.

* POP3/IMAP + block -> A virus mail will be blocked. BUT: You can not get a new email from this server until the virus email is deleted from the server. Because the whole POP3 session will be dropped each time you retry to retrieve you emails, since emails are not send separately with this protocol.

* SMTP + block -> An SMTP 541 error message will be sent as part of the block action when a virus is detected. This will tell the mail server not to retry sending the message, allowing the firewall to drop the mail without the mail server trying to resend it. So I don't realy see why the default action would be just alert. I guess some smtp servers will not listen to these 541 error messages and keep resending the email...