https://live.paloaltonetworks.com/t5/general-topics/dns-spyware-vulnerabilities-why-aren-t-the-fqdns-in-malware/m-p/42927#M31508 <HTML><HEAD></HEAD><BODY><P>Hello Networkadmin,</P><P></P><P>I do understand your query <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P><P>The PAN-DB classification engine is based on machine learning, so we can and are constantly tweaking the individual category models to improve.&nbsp; In regards to URLs that are categorized as spyware, this is usually due to the fact that WildFire has detected malicious activity to/from this domain. Hence, we keep updating our database based on the wildfire result too. </P><P></P><P>A related discussion for your reference: <A href="https://live.paloaltonetworks.com/thread/12348">Suspicious DNS Query ad nauseam</A></P><P></P><P>Thanks</P></BODY></HTML> Tue, 27 Jan 2015 17:38:28 GMT HULK 2015-01-27T17:38:28Z https://live.paloaltonetworks.com/t5/general-topics/dns-spyware-vulnerabilities-why-aren-t-the-fqdns-in-malware/m-p/42924#M31505 <HTML><HEAD></HEAD><BODY><P>Today I switched on the "strict" Spyware anti-spyware policy on my outbound Domain Controller DNS policy - I'm seeing a lot (I mean a lot) of requests blocked for things like advertising networks.</P><P></P><P>Here are 3 DNS queries that were blocked, and they're indicative as I've picked them at random:</P><P></P><P class="p1"><SPAN class="s1">d.audienceiq.com</SPAN></P><P class="p2"><SPAN class="s1"></SPAN></P><P class="p3"><SPAN class="s1"></SPAN></P><P class="p4"><SPAN class="s1">d.p-td.com</SPAN></P><P class="p4"><SPAN class="s1">p.adsymptotic.com</SPAN></P><P class="p4"><SPAN class="s1"><BR /></SPAN></P><P class="p4"><SPAN class="s1">Those flag as spyware domains.</SPAN></P><P class="p4"><SPAN class="s1"><BR /></SPAN></P><P class="p4"><SPAN class="s1">So how come when I do a URL filtering query (using PAN-DB) on those domains that they show as Business &amp; Economy, Financial, and Computer and Internet Info?</SPAN></P><P class="p4"><SPAN class="s1"><BR /></SPAN></P><P class="p4"><SPAN class="s1">They don't show as adverts or malware or anything like that.<BR /></SPAN></P><P class="p4"><SPAN class="s1"><BR /></SPAN></P><P class="p4"><SPAN class="s1">Surely if someone has put them into the vulnerability database they should be in the URL database under a "bad" category shouldn't they?</SPAN></P><P class="p4"><SPAN class="s1"><BR /></SPAN></P><P class="p4"><SPAN class="s1">Does anyone have any suggestions please? <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /><BR /></SPAN></P></BODY></HTML> Tue, 27 Jan 2015 17:14:20 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-spyware-vulnerabilities-why-aren-t-the-fqdns-in-malware/m-p/42924#M31505 networkadmin 2015-01-27T17:14:20Z https://live.paloaltonetworks.com/t5/general-topics/dns-spyware-vulnerabilities-why-aren-t-the-fqdns-in-malware/m-p/42925#M31506 <HTML><HEAD></HEAD><BODY><P>Hello Networkadmin,</P><P></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 13px;">In the event that a URL has been mis-categorized, a change request can be submitted in one of two ways: Please follow the KB doc mentioned below.</SPAN></P><P></P><P><A href="https://live.paloaltonetworks.com/docs/DOC-3625">How to Submit a Mis-Categorized URL for PAN-DB</A></P><P></P><P></P><P>Hope this helps.</P><P></P><P>Thanks</P></BODY></HTML> Tue, 27 Jan 2015 17:18:50 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-spyware-vulnerabilities-why-aren-t-the-fqdns-in-malware/m-p/42925#M31506 HULK 2015-01-27T17:18:50Z https://live.paloaltonetworks.com/t5/general-topics/dns-spyware-vulnerabilities-why-aren-t-the-fqdns-in-malware/m-p/42926#M31507 <HTML><HEAD></HEAD><BODY><P>Hulk, thanks and I get that I can do that, but I think the point for Palo Alto here is that <EM><STRONG>I don't know</STRONG></EM> if it's a good URL or a bad URL and Palo Alto are contradicting themselves with their behaviour IMO.</P><P></P><UL><LI><SPAN class="s1" style="font-weight: inherit; font-style: inherit; font-family: inherit;">d.audienceiq.com</SPAN></LI><LI><SPAN class="s1" style="font-weight: inherit; font-style: inherit; font-family: inherit;">d.p-td.com</SPAN></LI><LI><SPAN class="s1" style="font-weight: inherit; font-style: inherit; font-family: inherit;">p.adsymptotic.com</SPAN></LI></UL><P></P><P>How am I supposed to know what those are? :smileylaugh:</P><P></P><P>Palo Alto must <EM>know</EM> it's bad else why is it in the vulnerability database as suspicious/spyware - someone at Palo Alto must have updated the database?</P><P></P><P>So if it's known bad why would it <EM>not</EM> be listed in a suitable category for URL filtering automatically?</P><P></P><P>You see what I'm saying hopefully? <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P></BODY></HTML> Tue, 27 Jan 2015 17:25:01 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-spyware-vulnerabilities-why-aren-t-the-fqdns-in-malware/m-p/42926#M31507 networkadmin 2015-01-27T17:25:01Z https://live.paloaltonetworks.com/t5/general-topics/dns-spyware-vulnerabilities-why-aren-t-the-fqdns-in-malware/m-p/42927#M31508 <HTML><HEAD></HEAD><BODY><P>Hello Networkadmin,</P><P></P><P>I do understand your query <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P><P>The PAN-DB classification engine is based on machine learning, so we can and are constantly tweaking the individual category models to improve.&nbsp; In regards to URLs that are categorized as spyware, this is usually due to the fact that WildFire has detected malicious activity to/from this domain. Hence, we keep updating our database based on the wildfire result too. </P><P></P><P>A related discussion for your reference: <A href="https://live.paloaltonetworks.com/thread/12348">Suspicious DNS Query ad nauseam</A></P><P></P><P>Thanks</P></BODY></HTML> Tue, 27 Jan 2015 17:38:28 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-spyware-vulnerabilities-why-aren-t-the-fqdns-in-malware/m-p/42927#M31508 HULK 2015-01-27T17:38:28Z