topic Re: Blocking & AV in General Topics

Blocking & AV

fmd — Mon, 05 Dec 2011 17:27:46 GMT

Hi - we current;y have our PA4050s in aleret mode only on every rule for AV. If we device to turn this to Block for specific rules - what does this actually do if it identifies a virus? Cheers.

Re: Blocking & AV

jhickey — Mon, 05 Dec 2011 17:50:16 GMT

If it's a download, the transmission will be blocked and the user will see the block page which you can customize.

The box can also block virus data. In other words data farmed by viruses and sent to the web or to other machines. This will be blocked too but the user will not see anything.

Re: Blocking & AV

rmonvon — Mon, 05 Dec 2011 22:37:38 GMT

If you choose the 'default' AV profile, we will block the content when a virus is detected. We will continue to alert for virus detected in SMTP, IMAP, and POP3 because we are not a mail proxy/relay. If the virus is detected over HTTP, then we will serve the AV block page. For other traffi like FTP, then we will reset the connection to prevent the transmission of the virus.

Re: Blocking & AV

fmd — Wed, 07 Dec 2011 16:38:17 GMT

many thanks for your replies. In more detail we have

CLIENT HTTPs <-----> (ssl termination)ASA<-------PALO ALTO--------->HTTP to web server

So:

1. Would the block page get served the end client successfully?

2. All the traffic to the web server comes from the same source IP address on the ASA for all clients - will the Palo Alto understand that?

3. Would this block all traffic from the client (ie. if they started another http session that was clean - would that get through?).

4. So if all traffic comes from a source of the ASA - would a block kill ALL traffic from the ASA to the webserver (as all is coming from the same source IP of the ASA)?

Hopefully someone can help!!

Thanks

Re: Blocking & AV

rmonvon — Wed, 07 Dec 2011 17:44:59 GMT

My comments inline:

1. Would the block page get served the end client successfully?

Yes.

2. All the traffic to the web server comes from the same source IP address on the ASA for all clients - will the Palo Alto understand that?

Yes, the Palo Alto device is stateful and will take action only on the HTTP session where the virus was detected.

3. Would this block all traffic from the client (ie. if they started another http session that was clean - would that get through?).

A new HTTP session will contain new TCP session #, and the Palo Alto will treat it as a new connection. The new connection will be protected but not block unless it contains a malware.

4. So if all traffic comes from a source of the ASA - would a block kill ALL traffic from the ASA to the webserver (as all is coming from the same source IP of the ASA)?

No, the block will affect only that specific HTTP connection while other connections will continue.

Re: Blocking & AV

fmd — Wed, 07 Dec 2011 20:10:04 GMT

rmonvon - many thanks. This clarifies for me - and worked as I had envisaged - only the TCP session in question and not all TCP sessions will be affected (my only worry was that all TCP sessions are from the same source - but you have made it clear that all other TCP sessions would be unaffected!). Thanks again!

Re: Blocking & AV

rmonvon — Wed, 07 Dec 2011 20:37:54 GMT

Farrel...Thank you for being a customer!!

Re: Blocking & AV

fmd — Thu, 02 Feb 2012 17:34:17 GMT

Hi - just ressurecting this one!! We have implimented the block on AV for a specific rule for some browser based traffic and the PA log shows that we have a "deny" for the Eicar test file - but the end user never gets the response page. As stated before we have client connecting over SSL VPN to an ASA - all traffic comes from the source IP of the ASA. The PA then sits in front of the end web server.

Any advice!!?

Re: Blocking & AV

jhickey — Thu, 02 Feb 2012 17:39:24 GMT

Does the user have rights to hit the block page over their VPN connection ? Can they route to it ? Browse to it ?

Re: Blocking & AV

fmd — Fri, 03 Feb 2012 16:05:26 GMT

We've not tested this with no ASA in the way. So we have client-----Palo-----Web server with the same result.

The clients connect to the web server on a non-standard port. The rule is set to block on virus. They connect and authenticate to the page fine - then go to a page which has a "browse" button to load the Eicar file onto the site. The page hangs - but no block page is presented to the client. The PA shows that the Eicar virus was detected and blocked. So end to end it's working - they just never get the block page.

Re: Blocking & AV

rmonvon — Fri, 03 Feb 2012 16:10:30 GMT

Can you test without the VPN tunnel to see if the AV block page is served. Have a user connect thru the PAN firewall and retrieve the eicar file. Thanks.

Re: Blocking & AV

fmd — Fri, 03 Feb 2012 16:27:26 GMT

Hi - as stated in my last post. We've now done this with the same client but they are now sat in the office the Palo Alto is also in the same office - just an internal router hop away - so they are NOT going via the ssl vpn solution and we get the same result. It's would take a bit more effort to get the file onto the web servers to retrive the other way (I don't personally have access to them - and neither does the client who is testing).

Re: Blocking & AV

rmonvon — Fri, 03 Feb 2012 16:57:38 GMT

Can you confirm the traffic is web browsing when the eicar file is retrieved. Make sure the file is served up via HTTP then we can inject the AV block page. Web servers can be configured to serve up files via SMB/NETBIOS instead of HTTP. Thanks.

Re: Blocking & AV

fmd — Mon, 27 Feb 2012 23:15:02 GMT

Hi - just resurrecting this query as it's still outstanding. When I do a wireshark trace on the client and upload the file from my client to the end server - I can see the http 503 page with the "AV blocked" message (from the Palo Alto) being sent from the end server IP back to my client (along the TCP session that the Eicar virus is found in). However, I never see it in the browser.

Re: Blocking & AV

rmonvon — Tue, 28 Feb 2012 04:04:34 GMT

Since you're seeing the 503 AV block page, then the PA device is sending the bloack page as designed. However, it appears you're testing the upload of the virus instead of a download. You should see the AV block page on a download. In an upload (i.e. HTTP POST), you may not see the block page.

Re: Blocking & AV

mikand — Tue, 28 Feb 2012 08:06:46 GMT

Sounds like a browserbug because an HTTP error should be displayed for the client even when using POST wouldnt it?

Re: Blocking & AV

fmd — Tue, 28 Feb 2012 10:38:14 GMT

Thanks for replying! So are we saying that if it's an upload to a website we won't see the Block page! But if it's a download we would?! I've tried this in IE and FF and the same result so it doesn't appear to be down to the browser. It's not my area of expertise but I would have expected a block page to appear regardless of the direction of the file up/down?

Re: Blocking & AV

LCMember2860 — Fri, 02 Mar 2012 12:07:42 GMT

a further question about AV - I applied a profile that had "action=block" for POP3 and IMAP.

whilst the policy does detect the Eicar virus in incoming emails, in the case of POP3 it drops the session when the user tries to download his mail, with no notification to the end-user. Because of the way POP3 works, he then can't receive any further mails until the infected mail is manually removed from his inbox - so the "block" action for POP3 is effectively unusable (IMAP is similarly opaque but at least the end user can delete the offending mail themselves)

Are there any plans to improve this function? - I appreciate the PAN firewall is not a proxy but most other firewalls I've used that offer email AV just strip out the infected attachment allowing the overall POP3 transaction to complete, whereas PAN's implementation breaks the protocol.

Liam

Re: Blocking & AV

rmonvon — Sat, 03 Mar 2012 15:58:58 GMT

Liam...As you described, if we strip the infected attachment in an email, we would need to inject a notice in the email to notify the recipient. Also, we would have to store the infected attachment somewhere so the admin can analyze it, or allow the recipient to overide & download. This would require a lot more resource (disk space, individual user accts, etc) on the PA device. Hence, at this time we do not plan on supporting SMTP proxy.

Thanks.

Re: Blocking & AV

mikand — Sat, 03 Mar 2012 21:48:47 GMT

Will the PAN send a TCP-RST or FIN-ACK when a POP3 msg is detected containing malware?

If not... wouldnt it be possible if the PAN just block the download and when the client restarts it (within the same TCP session) the PAN would just return a "-ERR message infected" or similar so the client can continute with next message (depending on email client used)?

A wellwritten email client would then just continue with the other messages.

http://www.ietf.org/rfc/rfc1939.txt