topic Re: Mail attachment virus scanning in General Topics

Mail attachment virus scanning

dieter_b — Thu, 27 Jun 2013 09:06:59 GMT

How can I implement proper mail attachment virus scanning ?

For incoming mail, I have an antivirus security profile in place that should block virusses (smtp decoder), nothing fancy really:

I notice that the PA doesn't filter attached virusses too well. Luckily (as is best practice) I have several layers of antivirus protection for mail:

external spam filter --- firewall --- (spamfilter in DMZ; spam only) --- antivirus on internal mailserver --- endpoint antivirus + Outlook attachment filter

So virus infected mails usually don't reach the user. However, I think it's better that they are identified and blocked at an early stage, which is not the case now. The firewall plays an important role here, I feel.

I feel like PA antivirus doesn't do smtp antivirus very well. E.g. none of the test virus/spam mails from Free Email Security Check were blocked by the PA.

What can I do to improve on this ? Or is PA just not up to the task ?

Re: Mail attachment virus scanning

kprakash — Thu, 27 Jun 2013 13:52:03 GMT

Hi dieterb,

I was wondering whether the PANFW isn't screening the mails for the attachments at all. Can you show us the screenshot of the security rule where this profile has been configured under.

The link below also describes the best practices for Threat Prevention

https://live.paloaltonetworks.com/docs/DOC-3094

The pages 19 through 22 explain about how to configure the anitvirus feature.

I suggest taking a look at these settings as well mentioned under this document.

Thanks and best regards,

Karthik RP

Re: Mail attachment virus scanning

dieter_b — Thu, 27 Jun 2013 15:43:14 GMT

Nothing fancy in the rule:

I've browsed through the pages you suggested (haven't had time yet to review the entire document), but nothing obvious that suggests my config is wrong...

Message was edited by: Dieter Bulcke

Re: Mail attachment virus scanning

dieter_b — Fri, 28 Jun 2013 06:28:18 GMT

Can the message format the SMTP mail is presented to us be a reason the PA doesn't "see" the attachments ?

Re: Mail attachment virus scanning

UhMayYeah — Fri, 28 Jun 2013 09:41:59 GMT

AV scanning for the Email attachments is supported.

If the SMTP connection is over SSL ,you need to implement SSL-Decryption on the PAN-OS firewall to scan the clear-text traffic.

Re: Mail attachment virus scanning

dieter_b — Fri, 28 Jun 2013 09:53:18 GMT

Plain standard unencrypted SMTP, so no decryption necessary for content inspection.

Re: Mail attachment virus scanning

UhMayYeah — Fri, 28 Jun 2013 10:21:17 GMT

Make sure the firewall is installed with latest Antivirus version -1046-1457.

If the traffic logs show Email traffic matching the security rule Allow-In_Mail and no Threat logs are generated ,open a case with Support.

#As an additional step, you can associate a File-Blocking profile with this rule and monitor the Wildfire logs.

Re: Mail attachment virus scanning

dieter_b — Fri, 28 Jun 2013 10:49:42 GMT

It didn't update to the latest antivirus yet, but that should not be the issue, right ? Virusses in other traffic is detected fine.

I checked earlier, incoming mail passes the right rule.

No wildfire subscription.

I'll open (yet another, almost weekly now) ticket with support.

Re: Mail attachment virus scanning

NashTechIT — Fri, 29 Aug 2014 09:53:07 GMT

Hi,

i am using SMTP connection over SSL.

How can I implement SSL Decryption for SMTP?

Re: Mail attachment virus scanning

tshiv — Fri, 29 Aug 2014 22:31:26 GMT

The below document could be helpful :

How to Implement SSL Decryption

Thanks

Re: Mail attachment virus scanning

dieter_b — Mon, 16 Mar 2015 10:37:14 GMT

Bringing back an old thread:

We had some cryptolocker recently. Mail containting a zip.

although the antivirus definitions know of the specific variant, the firewall will not block them in SMTP traffic.

What are the limits for STMP attachment scanning regarding to compressed files ?