https://live.paloaltonetworks.com/t5/general-topics/eicar-testvirus-will-not-be-recognized/m-p/38615#M28286 <HTML><HEAD></HEAD><BODY><P>Hi tettema,</P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote" modifiedtitle="true"> <P>... Anything the firewall blocks should be blocked consistently. ..</P> </PRE><P>Hope so. But apparently this happens not in all cases.</P><P></P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote" modifiedtitle="true"> <P>If you are using a browser, it is possible that the browser is caching data and reserving it to you.&nbsp; </P> </PRE><P>I used a browser, but the "pdf"-file was surely not in the browsercache.</P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote" modifiedtitle="true"> <P>Are you using a block action or a continue action in your AV profile?&nbsp; Which ones specifically are you seeing this behavior with, and can you describe the sequence of actions in detail?</P> </PRE><P>Please take a look at our AV-profile. There is no "continue". </P><P><IMG alt="av1.jpg" class="jive-image-thumbnail jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/3775_av1.jpg" width="450" /></P><P>Sorry, there is no more detail. I simply clicking on the pdf link&nbsp; <A href="http://www.faerber.fidelitas.de/virtst/eicar.pdf" title="http://www.faerber.fidelitas.de/virtst/eicar.pdf">http://www.faerber.fidelitas.de/virtst/eicar.pdf</A> and see sometimes my firewall warning "blocking a dangerous site", and some other times "Fehler beim Laden des PDF-Dokumentes" (english translation: "Error while loading the PDF file"), because it is not really a pdf file.</P><P></P><P>regards</P><P>Manfred</P></BODY></HTML> Tue, 14 Aug 2012 20:31:27 GMT mhuels 2012-08-14T20:31:27Z https://live.paloaltonetworks.com/t5/general-topics/eicar-testvirus-will-not-be-recognized/m-p/38613#M28284 <HTML><HEAD></HEAD><BODY><P>On the website <A href="http://www.faerber.fidelitas.de/eicar1.htm" title="http://www.faerber.fidelitas.de/eicar1.htm"> EICAT TESTVIRUS </A>resides a lot of different kinds of eicar. Most of them will not be recognized by the Palo Alto Networks AV-Engine. The behaviour of the firewall is thereby a bit confusing. It seems: if you click on the links more then one time, you can download the virus on the second or third instance. Especially the PDF-Eicar often downloads on the second click.</P><P></P><P>We are driving PAN OS 4.0.7</P><P></P><P>greets</P><P>Manfred</P></BODY></HTML> Tue, 14 Aug 2012 15:08:47 GMT https://live.paloaltonetworks.com/t5/general-topics/eicar-testvirus-will-not-be-recognized/m-p/38613#M28284 mhuels 2012-08-14T15:08:47Z https://live.paloaltonetworks.com/t5/general-topics/eicar-testvirus-will-not-be-recognized/m-p/38614#M28285 <HTML><HEAD></HEAD><BODY><P>Hi Manfred,</P><P></P><P>I'd like to understand the test setup a little more.&nbsp; Anything the firewall blocks should be blocked consistently.&nbsp; If you are using a browser, it is possible that the browser is caching data and reserving it to you.&nbsp; Are you using a block action or a continue action in your AV profile?&nbsp; Which ones specifically are you seeing this behavior with, and can you describe the sequence of actions in detail?</P></BODY></HTML> Tue, 14 Aug 2012 20:11:56 GMT https://live.paloaltonetworks.com/t5/general-topics/eicar-testvirus-will-not-be-recognized/m-p/38614#M28285 tettema 2012-08-14T20:11:56Z https://live.paloaltonetworks.com/t5/general-topics/eicar-testvirus-will-not-be-recognized/m-p/38615#M28286 <HTML><HEAD></HEAD><BODY><P>Hi tettema,</P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote" modifiedtitle="true"> <P>... Anything the firewall blocks should be blocked consistently. ..</P> </PRE><P>Hope so. But apparently this happens not in all cases.</P><P></P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote" modifiedtitle="true"> <P>If you are using a browser, it is possible that the browser is caching data and reserving it to you.&nbsp; </P> </PRE><P>I used a browser, but the "pdf"-file was surely not in the browsercache.</P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote" modifiedtitle="true"> <P>Are you using a block action or a continue action in your AV profile?&nbsp; Which ones specifically are you seeing this behavior with, and can you describe the sequence of actions in detail?</P> </PRE><P>Please take a look at our AV-profile. There is no "continue". </P><P><IMG alt="av1.jpg" class="jive-image-thumbnail jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/3775_av1.jpg" width="450" /></P><P>Sorry, there is no more detail. I simply clicking on the pdf link&nbsp; <A href="http://www.faerber.fidelitas.de/virtst/eicar.pdf" title="http://www.faerber.fidelitas.de/virtst/eicar.pdf">http://www.faerber.fidelitas.de/virtst/eicar.pdf</A> and see sometimes my firewall warning "blocking a dangerous site", and some other times "Fehler beim Laden des PDF-Dokumentes" (english translation: "Error while loading the PDF file"), because it is not really a pdf file.</P><P></P><P>regards</P><P>Manfred</P></BODY></HTML> Tue, 14 Aug 2012 20:31:27 GMT https://live.paloaltonetworks.com/t5/general-topics/eicar-testvirus-will-not-be-recognized/m-p/38615#M28286 mhuels 2012-08-14T20:31:27Z https://live.paloaltonetworks.com/t5/general-topics/eicar-testvirus-will-not-be-recognized/m-p/38616#M28287 <HTML><HEAD></HEAD><BODY><P>Manfred,</P><P></P><P>I tried that link on one of our PAN 500 running version: 4.0.3</P><TABLE border="0" cellpadding="0" cellspacing="0" class="dashboard" id="TableGeneralInformation" width="340"><TBODY id="BodyGeneralInformation"><TR><TD align="left" class="dashboard_left_align_right">Application version</TD><TD align="left" class="dashboard">319-1453 (2012/07/17)</TD><TD></TD></TR><TR><TD align="left" class="dashboard_left_alternate_align_right">Threat version</TD><TD align="left" class="dashboard_alternate">319-1453 (2012/07/17)</TD><TD></TD></TR><TR><TD align="left" class="dashboard_left_align_right">Antivirus version</TD><TD align="left" class="dashboard">812-1116 (2012/08/09)</TD><TD></TD></TR><TR><TD align="left" class="dashboard_left_alternate_align_right">URL Filtering version</TD><TD align="left" class="dashboard_alternate">3922</TD></TR></TBODY></TABLE><P>And it's working fine every time, have you setup any custom warning pages or are they out of the box default? Looks like a bug to me if the config is 100%.</P><P></P><P>The tested config is running a very simple rulebase (small) and it's only using below throughput and CPU/Mem at the time of testing. The segment if going through a VWire.</P><P></P><P>MGM CPU: 7%</P><P>Data Plane CPU: 5%<BR />Device is up&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 139 days 11 hours 20 mins 52 sec</P><P>Packet rate&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 295/s</P><P>Throughput&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 1434 Kbps</P><P>Total active sessions : 358</P><P>Active TCP sessions&nbsp;&nbsp; : 323</P><P>Active UDP sessions&nbsp;&nbsp; : 35</P><P>Active ICMP sessions&nbsp; : 0</P><P></P><P>Out of interest is this blocked on the way back from the download point or when the client tries to access the pdf?</P></BODY></HTML> Wed, 15 Aug 2012 07:31:21 GMT https://live.paloaltonetworks.com/t5/general-topics/eicar-testvirus-will-not-be-recognized/m-p/38616#M28287 Ante 2012-08-15T07:31:21Z https://live.paloaltonetworks.com/t5/general-topics/eicar-testvirus-will-not-be-recognized/m-p/38617#M28288 <HTML><HEAD></HEAD><BODY><P>Hi sec sec,</P><P>our working firewall is a bit more used</P><P>Device is up&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 0 day 13 hours 47 mins 18 sec</P><P>Packet rate&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 4144/s</P><P>Throughput&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 20701 Kbps</P><P>Total active sessions : 7915</P><P>Active TCP sessions&nbsp;&nbsp; : 7104</P><P>Active UDP sessions&nbsp;&nbsp; : 781</P><P>Active ICMP sessions&nbsp; : 16</P><P></P><P>Our block page is customized, but in a very simple way. </P><P></P><P>I suspect that there is a performance problem by blocking "dangerous" content. If the firewall dont has the time to block the first bytes, it will block in the course of the http session (which could be build by more than one tcp sessions). And so, a small part of the pdf file will reach the client, leading to an error message of the browser plugin. Assuming that the firewall cannot buffer a lot of bytes, it seems to be possible that the firewall recognize dangerous content after starting to deliver the content. But then it would be imho more correct to sending the block page instead of simply blocking the further content.</P><P>Anyway, since we upgraded to 4.1.7, the problem seems to be mitigated or dead. I will continue with testing during the next days.</P><P></P><P>regards</P><P>Manfred</P></BODY></HTML> Wed, 15 Aug 2012 09:41:41 GMT https://live.paloaltonetworks.com/t5/general-topics/eicar-testvirus-will-not-be-recognized/m-p/38617#M28288 mhuels 2012-08-15T09:41:41Z https://live.paloaltonetworks.com/t5/general-topics/eicar-testvirus-will-not-be-recognized/m-p/38618#M28289 <HTML><HEAD></HEAD><BODY><P>I have noticed the same behaviour on 2050 and older PANOS (pre 4.1).</P><P></P><P>Sometimes the bad packet was let through with a following rst which depending on browser could mean that the browser would render whatever it got so far (internet explorer did this of course <span class="lia-unicode-emoji" title=":grinning_face_with_big_eyes:">😃</span></P><P></P><P>Also you should verify so you have ssl termination activated otherwise the https downloads will bypass your PA's AV/IPS functions.</P></BODY></HTML> Mon, 20 Aug 2012 22:58:56 GMT https://live.paloaltonetworks.com/t5/general-topics/eicar-testvirus-will-not-be-recognized/m-p/38618#M28289 mikand 2012-08-20T22:58:56Z