https://live.paloaltonetworks.com/t5/general-topics/zeroaccess-gen/m-p/47370#M34825 <HTML><HEAD></HEAD><BODY><P>Don't forget to check the enable box.&nbsp; The other approach is overriding the default actions globally in the policy for critical events.</P><P></P><P><IMG alt="Capture-test-policy.JPG" class="jive-image-thumbnail jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/5853_Capture-test-policy.JPG" width="450" /></P><P>Either approach will work but the prior approach (mbutt's) is a more cautious and controlled one. Just keep an eye on critical and high events and decide if you are happy with the default action being taken.</P></BODY></HTML> Sun, 03 Mar 2013 19:17:59 GMT HITSSEC 2013-03-03T19:17:59Z https://live.paloaltonetworks.com/t5/general-topics/zeroaccess-gen/m-p/47368#M34823 <HTML><HEAD></HEAD><BODY><P>Our threat monitor shows a lot of ZeroAccess.Gen Command and Control traffic, type spyware.&nbsp; The default threat action is to alert.&nbsp; I want to either block or drop.&nbsp; What is the best way to block traffic for a specific threat signature but to use defaults on all others with the same severity?&nbsp; </P><P></P><P>The threat signature categorizes zeroaccess.gen, id 13235, as botnet.&nbsp; Are threat signatures used as part of the behavioral analysis in determining probable botnets?&nbsp; I don't see any correlation between destination IP addresses in the threat log and in the botnet report.</P><P></P><P>Thanks</P></BODY></HTML> Thu, 28 Feb 2013 18:05:09 GMT https://live.paloaltonetworks.com/t5/general-topics/zeroaccess-gen/m-p/47368#M34823 oshcomp 2013-02-28T18:05:09Z https://live.paloaltonetworks.com/t5/general-topics/zeroaccess-gen/m-p/47369#M34824 <HTML><HEAD></HEAD><BODY><P>Hi, </P><P>You can create an exception in you Anti Spyware profiles to block this threat instead of alerting it.</P><P></P><P><IMG alt="exception.JPG" class="jive-image-thumbnail jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/5789_exception.JPG" width="450" /></P><P></P><P>Let us know if this resolves your issue.</P><P></P><P>Thank you</P></BODY></HTML> Thu, 28 Feb 2013 21:50:53 GMT https://live.paloaltonetworks.com/t5/general-topics/zeroaccess-gen/m-p/47369#M34824 mbutt 2013-02-28T21:50:53Z https://live.paloaltonetworks.com/t5/general-topics/zeroaccess-gen/m-p/47370#M34825 <HTML><HEAD></HEAD><BODY><P>Don't forget to check the enable box.&nbsp; The other approach is overriding the default actions globally in the policy for critical events.</P><P></P><P><IMG alt="Capture-test-policy.JPG" class="jive-image-thumbnail jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/5853_Capture-test-policy.JPG" width="450" /></P><P>Either approach will work but the prior approach (mbutt's) is a more cautious and controlled one. Just keep an eye on critical and high events and decide if you are happy with the default action being taken.</P></BODY></HTML> Sun, 03 Mar 2013 19:17:59 GMT https://live.paloaltonetworks.com/t5/general-topics/zeroaccess-gen/m-p/47370#M34825 HITSSEC 2013-03-03T19:17:59Z https://live.paloaltonetworks.com/t5/general-topics/zeroaccess-gen/m-p/47371#M34826 <HTML><HEAD></HEAD><BODY><P>Creating an exception for the specific threat seems to work.&nbsp; I am cautious about overriding the defaults for all critical threats.</P><P></P><P>I am considering a third option.&nbsp; I created a rule with a "Threat name" containing the string of the threat and an action of block.&nbsp; A second rule would use specify the default action for everything else.&nbsp; (My example says "alert" and not default.&nbsp; But that is just for testing.)&nbsp; My hope is that the rules will be processed in order.&nbsp; All ZeroAcess.Gen will be blocked.&nbsp; All other threats should use the default action. </P><P></P><P>Comments?</P><P><IMG alt="" class="jiveImage" src="https://live.paloaltonetworks.com/legacyfs/online/5879_pastedImage_0.png" style="width: 918px; height: 636px;" /></P></BODY></HTML> Mon, 04 Mar 2013 15:59:43 GMT https://live.paloaltonetworks.com/t5/general-topics/zeroaccess-gen/m-p/47371#M34826 oshcomp 2013-03-04T15:59:43Z https://live.paloaltonetworks.com/t5/general-topics/zeroaccess-gen/m-p/47372#M34827 <HTML><HEAD></HEAD><BODY><P>That would work also.&nbsp; I think either approach accomplishes the end result.&nbsp; My understanding is that it is processed in order top down like firewall rules.&nbsp; The exception in 4.1 is fileblocking profiles. <A _jive_internal="true" href="https://live.paloaltonetworks.com/docs/DOC-2858">https://live.paloaltonetworks.com/docs/DOC-2858</A> as a heads up if you go there.</P><P></P><P>Phil</P></BODY></HTML> Mon, 04 Mar 2013 17:51:08 GMT https://live.paloaltonetworks.com/t5/general-topics/zeroaccess-gen/m-p/47372#M34827 HITSSEC 2013-03-04T17:51:08Z