https://live.paloaltonetworks.com/t5/general-topics/wildfire-options/m-p/10441#M7697 <HTML><HEAD></HEAD><BODY><P>Hey guys,</P><P></P><P>As I'm sure most of us are, I'm seeing a huge string of issues related to Cryptolocker lately.</P><P></P><P>I've reviewed the several articles floating around on how Palo Alto units deal with this, the fact is I'm seeing spam emails get through encouraging users to download executables which always come up as clean as far as PA's build in AV goes. Wildfire does appear to have a very successful history for us of identifying these infections. However, an alert is often proceeded immediately with an outbreak, at which point it's too late.</P><P></P><P>What options may exist here? Given the recent scale of damage, most users would be happy wait a minute while a download is sandboxed before being made available to them, in fact there are competing products already doing that just to run traditional AV. I'm sure this has already been considered, but given the huge scale of the threat, I'd like to around regarding whether I'm missing something, or whether there's any possible way of scripting this to produce the desired effect.</P></BODY></HTML> Mon, 01 Dec 2014 05:02:32 GMT daraco 2014-12-01T05:02:32Z https://live.paloaltonetworks.com/t5/general-topics/wildfire-options/m-p/10441#M7697 <HTML><HEAD></HEAD><BODY><P>Hey guys,</P><P></P><P>As I'm sure most of us are, I'm seeing a huge string of issues related to Cryptolocker lately.</P><P></P><P>I've reviewed the several articles floating around on how Palo Alto units deal with this, the fact is I'm seeing spam emails get through encouraging users to download executables which always come up as clean as far as PA's build in AV goes. Wildfire does appear to have a very successful history for us of identifying these infections. However, an alert is often proceeded immediately with an outbreak, at which point it's too late.</P><P></P><P>What options may exist here? Given the recent scale of damage, most users would be happy wait a minute while a download is sandboxed before being made available to them, in fact there are competing products already doing that just to run traditional AV. I'm sure this has already been considered, but given the huge scale of the threat, I'd like to around regarding whether I'm missing something, or whether there's any possible way of scripting this to produce the desired effect.</P></BODY></HTML> Mon, 01 Dec 2014 05:02:32 GMT https://live.paloaltonetworks.com/t5/general-topics/wildfire-options/m-p/10441#M7697 daraco 2014-12-01T05:02:32Z https://live.paloaltonetworks.com/t5/general-topics/wildfire-options/m-p/10442#M7698 <HTML><HEAD></HEAD><BODY><P>this cannot be done with a script I think.Solution is, use TRAPS.</P></BODY></HTML> Mon, 01 Dec 2014 07:11:44 GMT https://live.paloaltonetworks.com/t5/general-topics/wildfire-options/m-p/10442#M7698 Retired Member 2014-12-01T07:11:44Z https://live.paloaltonetworks.com/t5/general-topics/wildfire-options/m-p/10443#M7699 <HTML><HEAD></HEAD><BODY><P>I agree with <A _jive_internal="true" href="https://live.paloaltonetworks.com/people/panos">panos</A>, that TRAPS could be your answer. Not knowing your environment but you may want to consider users not being able to download .exes (have AD group for exceptions to the rule) or blocking .exes with a spam gateway.But at the end of the day TRAPS might be your answer. </P></BODY></HTML> Mon, 01 Dec 2014 13:54:51 GMT https://live.paloaltonetworks.com/t5/general-topics/wildfire-options/m-p/10443#M7699 lewis 2014-12-01T13:54:51Z https://live.paloaltonetworks.com/t5/general-topics/wildfire-options/m-p/10444#M7700 <HTML><HEAD></HEAD><BODY><P>6.1 has URL inspection in WF so smtp messages with malicous URL links should be identified. <A href="https://www.paloaltonetworks.com/documentation/61/pan-os/newfeaturesguide/section_4/chapter_4.html#46158" title="https://www.paloaltonetworks.com/documentation/61/pan-os/newfeaturesguide/section_4/chapter_4.html#46158">WildFire Email Link Analysis</A></P><P></P><P>In addition block outbound to URL category Malware if you haven't done so already enable fwding of 'email-link'. Not all but most of the domains that WF picks up gets added to the malware category. </P><P></P><P>Another brute force approach would be to limit downloads of PE's with a captive portal. </P><P></P><P>Also think defense in depth so don't rely 100% on the peremieter fw's and yes TRAPS may help you here as well. </P></BODY></HTML> Mon, 01 Dec 2014 16:25:33 GMT https://live.paloaltonetworks.com/t5/general-topics/wildfire-options/m-p/10444#M7700 jkim2 2014-12-01T16:25:33Z