topic How to properly configure POP3 AV and malware inspection in General Topics https://live.paloaltonetworks.com/t5/general-topics/how-to-properly-configure-pop3-av-and-malware-inspection/m-p/75500#M42003 <P>Dear Live Community,</P> <P>&nbsp;</P> <P>I was wondering how I have ro configure pop3 traffic inspection in order to protect my network from malware and viruses in mails sent to me. My Linux server pulls various mail servers in the internet using fetchmail every couple of minutes. The connection is tcp/995 POP3S. The PAN is working in virtual wire mode between my main switch and the DSL router. I have wildfir</P> <P>&nbsp;</P> <P>I've configured a decryption profile for the POP3 servers and from certification validation errors in fetchmail in the beginning I can see that the decryption is actually taking place <span class="lia-unicode-emoji" title=":winking_face:">😉</span> (problem fixed in the meantime).</P> <P>&nbsp;</P> <P>I've now added a rule in my security polic:</P> <P>From trust (internal) zone to POP3 servers in the untrust (Internet) zone, adresses: all POP3 servers referenced via IP, application: pop3 and ssl, services: pop3 and pop3s (tcp\110, tcp\995), Policy: "allow", Activated inspection profiles: AV, Vuln protection, Anti-Spyware, URL Filtering, File Blocking, WildFire. Settings in the profiles: Mostly default or alert. From what I've read, the "ssl" application should not be necessary, as the application is just "pop3" when the session is decrypted but nevertheless...</P> <P>&nbsp;</P> <P>So far I've not received a single alert for malware in one of the emails, but have received quite a couple of mails with malicious attachments (e.g. Locky ransomware). These attachments fortunately were filtered by my endpoint AV product.</P> <P>&nbsp;</P> <P>What am I missing? Why isn't the PAN blocking these attachments?</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 30 Mar 2016 19:44:57 GMT daubsi 2016-03-30T19:44:57Z How to properly configure POP3 AV and malware inspection https://live.paloaltonetworks.com/t5/general-topics/how-to-properly-configure-pop3-av-and-malware-inspection/m-p/75500#M42003 <P>Dear Live Community,</P> <P>&nbsp;</P> <P>I was wondering how I have ro configure pop3 traffic inspection in order to protect my network from malware and viruses in mails sent to me. My Linux server pulls various mail servers in the internet using fetchmail every couple of minutes. The connection is tcp/995 POP3S. The PAN is working in virtual wire mode between my main switch and the DSL router. I have wildfir</P> <P>&nbsp;</P> <P>I've configured a decryption profile for the POP3 servers and from certification validation errors in fetchmail in the beginning I can see that the decryption is actually taking place <span class="lia-unicode-emoji" title=":winking_face:">😉</span> (problem fixed in the meantime).</P> <P>&nbsp;</P> <P>I've now added a rule in my security polic:</P> <P>From trust (internal) zone to POP3 servers in the untrust (Internet) zone, adresses: all POP3 servers referenced via IP, application: pop3 and ssl, services: pop3 and pop3s (tcp\110, tcp\995), Policy: "allow", Activated inspection profiles: AV, Vuln protection, Anti-Spyware, URL Filtering, File Blocking, WildFire. Settings in the profiles: Mostly default or alert. From what I've read, the "ssl" application should not be necessary, as the application is just "pop3" when the session is decrypted but nevertheless...</P> <P>&nbsp;</P> <P>So far I've not received a single alert for malware in one of the emails, but have received quite a couple of mails with malicious attachments (e.g. Locky ransomware). These attachments fortunately were filtered by my endpoint AV product.</P> <P>&nbsp;</P> <P>What am I missing? Why isn't the PAN blocking these attachments?</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 30 Mar 2016 19:44:57 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-properly-configure-pop3-av-and-malware-inspection/m-p/75500#M42003 daubsi 2016-03-30T19:44:57Z Re: How to properly configure POP3 AV and malware inspection https://live.paloaltonetworks.com/t5/general-topics/how-to-properly-configure-pop3-av-and-malware-inspection/m-p/75501#M42004 <P>And another question comes to my mind: How would the FW actually block the malicious content?</P> <P>I've seen blog posts where the FW interferes with a SMTP transfer and sends an Error 541 to the sending MTA, so the mail is actually not transfered to the protected ressources, but how will it be with POP3?</P> <P>The malicious mail is already at my provider and when I retrieve the mails using POP3, what will be transfered if malicious content is identified in 1 out of 10 messages on the server? Nothing? 9 mails? All 10 mails? Will the blocked mail stay on the POP3 server and will be transferred on every sync again and again?</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 30 Mar 2016 19:54:26 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-properly-configure-pop3-av-and-malware-inspection/m-p/75501#M42004 daubsi 2016-03-30T19:54:26Z