https://live.paloaltonetworks.com/t5/general-topics/known-malware-passing-through-pa-to-client/m-p/10202#M7489 <HTML><HEAD></HEAD><BODY><P>Thats incorrect.</P><P></P><P>You need to install a selfsigned CA-cert (along with its private key) in your PA device and then install the public key as "trusted CA" in your clients browsers (if you have an AD you can push this CA public key through GPO).</P><P></P><P>This CA-cert (for ssl-termination) can be created by using the openssl binary.</P><P></P><P>However - depending on your company regulations regarding certs and stuff and specially if you already have a PKI infrastructure then I would use the PKI environment to create either a new CA or an intermediate CA to be used in your PA.</P></BODY></HTML> Fri, 08 Jun 2012 18:27:57 GMT mikand 2012-06-08T18:27:57Z https://live.paloaltonetworks.com/t5/general-topics/known-malware-passing-through-pa-to-client/m-p/10197#M7484 <HTML><HEAD></HEAD><BODY><P>Hello PAN,</P><P>Today I had a client get infected with the "Windows Privacy Module" Fake AV, This wasn't cought by either PAN OS or Trend Micro while a MalwareBytes scan found it and removed it no problem. Is there something more I can do to increase the odds of my PA SG in catching these? I do keep th AV software up to date along with the PAN OS and I do have the Security profile on all ingress traffic set to block.</P><P>Thanks,</P></BODY></HTML> Thu, 07 Jun 2012 19:43:59 GMT https://live.paloaltonetworks.com/t5/general-topics/known-malware-passing-through-pa-to-client/m-p/10197#M7484 Bvance 2012-06-07T19:43:59Z https://live.paloaltonetworks.com/t5/general-topics/known-malware-passing-through-pa-to-client/m-p/10198#M7485 <HTML><HEAD></HEAD><BODY><H4 style="font-size:1.4444em;font-family:Arial, Helvetica, sans-serif;background-color:#f8f4e6">This looks like a false-negative&nbsp; bypassing PAN-OS firewall.Please open a support case providing following info.</H4><P></P><P></P><P style="color:#000000;font-family:Arial, Helvetica, sans-serif;font-size:12px;background-color:#f8f4e6">(1) samples&nbsp; pcaps <BR />(2) Reference URL /Links etc.&nbsp; associated with the Virus.</P><P></P><P>Refer : <A class="active_link" href="https://live.paloaltonetworks.com/docs/DOC-1283">https://live.paloaltonetworks.com/docs/DOC-1283</A>&nbsp;&nbsp; for future references.</P><P></P><P style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #f8f4e6; min-height: 8pt;">Thanks ,</P><P></P><P style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #f8f4e6; min-height: 8pt;">Ameya</P></BODY></HTML> Thu, 07 Jun 2012 19:55:02 GMT https://live.paloaltonetworks.com/t5/general-topics/known-malware-passing-through-pa-to-client/m-p/10198#M7485 UhMayYeah 2012-06-07T19:55:02Z https://live.paloaltonetworks.com/t5/general-topics/known-malware-passing-through-pa-to-client/m-p/10199#M7486 <HTML><HEAD></HEAD><BODY><P>As a sidenote you could also enable ssl decryption in order to be able to inspect also https traffic. Along with (if possible) block .exe and other filetypes from being downloadable by the clients. And to top it off you could enable url categorization and block follow categories:</P><P></P><P>Keyloggers and Monitoring</P><P>Malware sites</P><P>Spyware and Adware</P></BODY></HTML> Thu, 07 Jun 2012 20:39:10 GMT https://live.paloaltonetworks.com/t5/general-topics/known-malware-passing-through-pa-to-client/m-p/10199#M7486 mikand 2012-06-07T20:39:10Z https://live.paloaltonetworks.com/t5/general-topics/known-malware-passing-through-pa-to-client/m-p/10200#M7487 <HTML><HEAD></HEAD><BODY><P>Thanks, I'll give these a shot.</P></BODY></HTML> Fri, 08 Jun 2012 12:21:53 GMT https://live.paloaltonetworks.com/t5/general-topics/known-malware-passing-through-pa-to-client/m-p/10200#M7487 Bvance 2012-06-08T12:21:53Z https://live.paloaltonetworks.com/t5/general-topics/known-malware-passing-through-pa-to-client/m-p/10201#M7488 <HTML><HEAD></HEAD><BODY><P>From what I have been reading on inbound SSL decryption it looks like we would have to have our own Microsoft certificate server. Is this correct?</P><P>Thanks,</P></BODY></HTML> Fri, 08 Jun 2012 14:32:49 GMT https://live.paloaltonetworks.com/t5/general-topics/known-malware-passing-through-pa-to-client/m-p/10201#M7488 Bvance 2012-06-08T14:32:49Z https://live.paloaltonetworks.com/t5/general-topics/known-malware-passing-through-pa-to-client/m-p/10202#M7489 <HTML><HEAD></HEAD><BODY><P>Thats incorrect.</P><P></P><P>You need to install a selfsigned CA-cert (along with its private key) in your PA device and then install the public key as "trusted CA" in your clients browsers (if you have an AD you can push this CA public key through GPO).</P><P></P><P>This CA-cert (for ssl-termination) can be created by using the openssl binary.</P><P></P><P>However - depending on your company regulations regarding certs and stuff and specially if you already have a PKI infrastructure then I would use the PKI environment to create either a new CA or an intermediate CA to be used in your PA.</P></BODY></HTML> Fri, 08 Jun 2012 18:27:57 GMT https://live.paloaltonetworks.com/t5/general-topics/known-malware-passing-through-pa-to-client/m-p/10202#M7489 mikand 2012-06-08T18:27:57Z