topic Re: Why viruses/spywares passes PA device unblocked? in General Topics

Why viruses/spywares passes PA device unblocked?

_slv_ — Thu, 28 Nov 2013 13:29:42 GMT

Hello

Until now I trusted that default configuration for most purposes is OK.

Today I discovered that few viruses passes in smtp traffic to my email server. I'm curious why?

when in web-broswing traffic the same type of aplication "virus" was denied.

My security rule:

it using profile "servers". This profile looks like:

so it's using antyvirus profile "default". I believed that this profile will block every kind of viruses.

Please tell me what I done wrong and how to change to block every kind of viruses and other unwanted stuff.

My second problem is related to spyware, and again two strange behaviors:

We have the same source and security. Why it's one time blocked but another not?

so the "anti spyware" and "volnerability protection" uses strict profiles that looks likes:

Please help me!

With regards

SLawek

Re: Why viruses/spywares passes PA device unblocked?

gafrol — Fri, 29 Nov 2013 14:19:38 GMT

The default action for smtp is alert not block. You need to change that in your AV Profile.

For the AntiSpyware feature. This is controlled by the AntiSpyware Profile. The DNS interception is configured under the TAB "DNS Signatures" which is either set to alert allow or block.

In your case it seems the AS profile has been changed between 07:29:05 and 22:16:56.

rgds

Roland

Re: Why viruses/spywares passes PA device unblocked?

_slv_ — Fri, 29 Nov 2013 15:59:52 GMT

Hi Roland

I changed AV profile (I created my new one and set up to block).

AS profile uses strict profile for both desktops and servers profile groups. I didn't change anything in it since months.

Today I can't find in threat log any entries that has alert action - so myabe it's my fault.

Regards

Slawek

Re: Why viruses/spywares passes PA device unblocked?

Retired Member — Fri, 29 Nov 2013 23:36:05 GMT

you need to be aware that when you set smtp to block, the sender will keep trying to send the email until it's timing out.

Re: Why viruses/spywares passes PA device unblocked?

_slv_ — Sat, 30 Nov 2013 13:12:36 GMT

Hi bartoq

I know that isn't a good idea, but do I have other options?

If I set alert for smtp I will get virus on my SMTP server. I'm using opensource ClamAV on it and I'm not sure that it will catch such virus too.

If I have to choose between problems with recieving emails from internet - I don't care of it - email with virus is a unwanted email for me sent intentionally or accidentally (through an infected computer) or getting computers infected I choosing the first options.

How are You have setet up AV profiles?

I think that good option now for me will be to monitor how AV and AS works. So I went to Custom Reports and I try to create one for it.

I think that I should use Traffic Logs and filter with action=block but there isn't such option:

So my question is how to make report that will cover every situation when PAN will block something using Antivirus/Anti Spyware/Vulnerability Protection?

In my opinion report is only way to get informstion what is goin on.

How do you deal with such problems? I hope that many people will read this topic and I hope that will share their solutions.

With regards

SLawek

Re: Why viruses/spywares passes PA device unblocked?

${userLoginName} — Sat, 30 Nov 2013 14:03:48 GMT

Dear,

From:Threat Prevention Deployment Tech Note

Note: The reason why SMTP, POP3 and IMAP have the default action set to ALERT is because in most cases there is already a dedicated Antivirus gateway solution in place for these protocols. Specifically for POP3 and IMAP, it is not possible to clean files or properly terminate an infected file-transfer in-stream without affecting the entire session. This is due to shortcomings in these protocols to deal with this kind of situation

From: Re: antivirus block action for mail protocols

For POP3/IMAP, the only action the firewall will ever take is “alert”. The device will never block or drop for these protocols, even if you configure an action of “block”.

Kind regards,

Bob

Re: Why viruses/spywares passes PA device unblocked?

knutelde — Sun, 09 Feb 2014 17:53:45 GMT

hi bdeschut

I have already found the same descriptions that you have in the PANOS docs, but how are palo alto devices then meant to protect against virus and malware\spyware,

coming into the network from peoples personal webmails and other personal apps using pop3 or IMAP ?

are there no solution to use palo alto devices to stop virus that comes with trafic using these protocols ?

Is it simply a matter of totally blocking everything that has to do with pop3 and IMAP, from entering the network ?

there must be a way to filter and protect users even if they are using these protocols, or m I wrong ?

Re: Why viruses/spywares passes PA device unblocked?

ErwinBuena — Thu, 11 Dec 2014 22:13:56 GMT

Is someone got an answer for this kind of issue? I'm also in the process of modifying the default profile for Antivirus and set a block rule for smtp, pop3 and imap of PA detected an anomaly on it's payload. Is it a good practice?

Re: Why viruses/spywares passes PA device unblocked?

MarcoLeckel — Mon, 15 Dec 2014 09:14:41 GMT

Hi, just to correct the previous Statement from the other Threat:

###

"For POP3/IMAP, the only action the firewall will ever take is “alert”. The device will never block or drop for these protocols, even if you configure an action of “block”."

###

--> This is not correct.

If you set "block" Action the PA will terminate (Reset) a Session is a Virus is found in Pop3/IMAP.

Be aware that you will not be able to get any new Mail from this Server until you delete the Virus on Server Site.

(Because everytime your Client requests new Mails your whole Session to the Server will be reset, not only the one with the Virus in it)

Regards

Marco

Re: Why viruses/spywares passes PA device unblocked?

mr.linus — Tue, 31 Mar 2015 13:59:56 GMT

Hey Marco,

I think you are right here!

Setting it to block for POP3 will definitely block it, but in the process "break" the POP3 account as you explained.

Thank you for setting this straight.

* POP3/IMAP + block -> You can not get a new email from this server until the virus email is deleted from the server. Otherwise the whole POP3 session will be dropped each time you retry to retrieve you emails.

* SMTP + block -> An SMTP 541 error message will be sent as part of the block action when a virus is detected. This will tell the mail server not to retry sending the message, allowing the firewall to drop the mail without the mail server trying to resend it. So I don't realy see why the default action would be just alert. I guess some smtp servers will not listen to these 541 error messages and keep resending the email...

You may also find that in the latest PaloAlto admin guide (6.1) there is no mention anymore of the "it's not possible to block POP3 virus".

They just skim right over the topic and don't mention why the default action is alert instead of block for certain protocols.

The default profile inspects all of the listed protocol decoders for viruses, and generates alerts for SMTP, IMAP,

and POP3 protocols while blocking for FTP, HTTP, and SMB protocols. Customized profiles can be used to

minimize antivirus inspection for traffic between trusted security zones, and to maximize the inspection of

traffic received from untrusted zones, such as the Internet, as well as the traffic sent to highly sensitive

destinations, such as server farms.

Re: Why viruses/spywares passes PA device unblocked?

jintan — Mon, 27 Mar 2017 08:45:34 GMT

hi all,

So what is the best recommended practice for customers who are using POP3 and IMAP email servers?

Is there a need to use a 3rd party mail filtering solution?

thanks for the advice.

Re: Why viruses/spywares passes PA device unblocked?

OtakarKlier — Mon, 15 Apr 2019 19:13:24 GMT

Hello,

Yes a 3rd party mail/spam filter tool is highly recommended. Defense in depth.

Regards,

Re: Why viruses/spywares passes PA device unblocked?

ram1989 — Thu, 25 Apr 2019 11:11:34 GMT

The unwanted software's infiltrates my computing device and PA devices. So without technical knowledge, the situation becomes worse where I resorted to the help of a technician. So unless you're strong with the technical side, please avoid tuning the configuration by yourself.