topic Threat prevention in General Topics

Threat prevention

jdprovine — Tue, 09 Jun 2015 12:57:38 GMT

I have downloaded and installed the threat prevention license, configured daily download of antivirus and the other downloads, created security profiles and added them to my security profiles. Everything is working except for the antivirus, its downloading and installing the definitions every day but I am not getting any information in my threat monitor for antivirus. I don't think I missed anything but let me know if anyone has any ideas.

Re: Threat prevention

_slv_ — Tue, 09 Jun 2015 14:24:12 GMT

You can test Your config by Eicar test AV http://www.eicar.org/86-0-Intended-use.html

Regards

SLawek

Re: Threat prevention

jdprovine — Tue, 09 Jun 2015 14:27:24 GMT

It collecting maleware and vulnerability data just fine it the antivirus portion of the threat prevention that isn't showing anything I don't think the link you gave me will help me to assure that my antivirus configuration is correct and working.

Re: Threat prevention

_slv_ — Tue, 09 Jun 2015 15:41:28 GMT

Opps - dorry for misunderstanding.

What about Monitor>System logs close to time when update of AV definition should be picked up?

Did You try to manually upload AV update?

What version of PAN are You using?

Please share with us screenshot of Dynamic Update

Ragards

Slawek

Re: Threat prevention

jdprovine — Tue, 09 Jun 2015 15:45:16 GMT

My PA version is 6.1.1. Its downloading and installing just fine it just now showing any data in the threat monitor

Re: Threat prevention

_slv_ — Tue, 09 Jun 2015 18:31:11 GMT

what about Your security rules - does it have AV profile atached?

something like that:

in my example there is None - but You must chose one.

Regards

Slawek

Re: Threat prevention

jdprovine — Tue, 09 Jun 2015 18:48:08 GMT

Yes I have them created and added to my security policies

Re: Threat prevention

_slv_ — Tue, 09 Jun 2015 18:56:37 GMT

Lets do a test

Please try to dwonload http://www.eicar.org/download/eicar.com

If You really have proper configuration of AV profile atached to Your security polisy that allow Your computer to get internet access this Eicar file should be blocked

Please atache Your session detail with atempt to download Eicar file. My is:

Re: Threat prevention

jdprovine — Wed, 10 Jun 2015 16:11:23 GMT

I did the testing and confirmed with the PA service desk that it is configured correctly but still is not working correctly

Re: Threat prevention

HITSSEC — Thu, 11 Jun 2015 02:35:58 GMT

Slawek,

Your screen print for the sample rule should have an Antivirus profile that blocks traffic. Like below:

Profile view:

Just saw it was missing in your example and may have been an oversight on your part. Hopefully this helps.

Phil

Re: Threat prevention

jdprovine — Thu, 11 Jun 2015 12:26:25 GMT

It is not necessary to have it set to block to have it work, it can also be set to alert

Re: Threat prevention

HITSSEC — Thu, 11 Jun 2015 12:32:25 GMT

True. but having an Antivirus Profile of "none" will not work for testing. That was the main point I was suggesting. The block profile is just what we have in place.

Re: Threat prevention

jdprovine — Fri, 12 Jun 2015 19:58:42 GMT

I got this to respond to the eicar test recommended by PA support. But other than that it show no virus threats. That still doesn't seem possbile