topic Re: Wildfire SMTP - Malicious objects not blocked in General Topics

Wildfire SMTP - Malicious objects not blocked

Kuiper — Tue, 20 Dec 2016 12:02:45 GMT

Hi,

We recently had our FW setup by an external security company.

Yesterday we had a malicious email attack which got past our email scanning service. Although Wildfire identified the attachments as malicious, they were sent on to the recipients (around 500). Luckily our AV's heuristics blocked the execution of the powershell script on most clients and I am using the FW to identify those that connected to the compromised site to DL the payload.

I have checked and are Wildfire setup seems to be as per the below How To:

How to Enable WildFire to Block File with 'malicious' Verdict

The AV profile did have "drop" against WF SMTP which I have now changed to "reset-both" but I am unsure why this didnt stop the files getting through.

Any help in identifying where I am going wrong or how to troubleshoot would be greatly appreciated!

Thanks

Re: Wildfire SMTP - Malicious objects not blocked

BPry — Tue, 20 Dec 2016 15:04:02 GMT

As long as you are actually setup correctly then I imagine that this was the first sample that wildfire recieved. If you upload something completely new to wildfire it's possible that it already had been recieved by the time wildfire categorized it as malicious.

Re: Wildfire SMTP - Malicious objects not blocked

Brandon_Wertz — Tue, 20 Dec 2016 15:23:16 GMT

To piggy back on @BPry just because WF said it was malicious if this was the first time the WF global enviornment it was an "unknown" which means your local appliance didn't have the hash of the file in its local DB and as such the file was passed along.

The "malicious" note of the file likely occurred minutes after the file was sent up for analysis. You potentialy were the unfortunate recipient to first send this file by the global WF enivornment, but the rest of us can thank you for now having that hash as a known bad.

--edit--

err...just looked at your screen shot, there was only a 3 second delta. So all of what I said didn't apply WF already knew the file was malicious.

Re: Wildfire SMTP - Malicious objects not blocked

Kuiper — Tue, 20 Dec 2016 17:34:17 GMT

Hi, thanks for the replies so far.

In the screenshot it states "alert" as the action (which it did in the log), I thought that this is expected as this would be passed onto the AV profile would then kick in and "reset-both" based of the WF settings in the AV profile?

Should I expect the action in the below WF analysis to state "reset-both"?

When looking at the AV monitoring, I see little activity... :(. We now have new variant of this being spammed at us, I would have thought the email scanning service we have to have started bouncing these by now!

Thanks

Re: Wildfire SMTP - Malicious objects not blocked

pulukas — Sat, 24 Dec 2016 12:01:09 GMT

check your settings as instructed in this document to insure you have blocking for malicious setup everywhere you want it.

https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Enable-WildFire-to-Block-File-with-malicious-Verdict/ta-p/54376

Re: Wildfire SMTP - Malicious objects not blocked

Kuiper — Wed, 28 Dec 2016 10:35:33 GMT

Hi Pulukas, thanks for taking a look.

Unfortunately, this is the guide I used and linked in my original post. I have everything setup as per the article but we have been having a number of files getting through.

I have since raised a ticket with Palo regarding this and the engineer I was talking to confirmed the settings were correct and couldn't see why the files were getting through 3 days after the hash had been identified.

It has therefore been escalated and I am now in the process of providing the various logs required for investigation.

I suspect that this issue is down to human error and there is some setting/policy somewhere which is causing this headache, I just hope it is sorted soon :).

I will let you know if I get a solution, as I noticed in the article you linked, other people were having similar issues.