New URL Filtering Categories: Grayware and Cryptocurrency

L2 Linker

 

 

Beginning with content release version 8206, we added two new URL Filtering categories:  “Grayware” and “Cryptocurrency.”

 

ACTION:  Administrators should immediately set their grayware category to BLOCK due to the obtrusive behavior from these websites. Palo Alto Networks recommends that you also subscribe to this FAQ for updates as they become available.

 

Grayware

How is Grayware defined?

Palo Alto Networks defines Grayware as websites that do not pose a direct security threat but that display other obtrusive behavior and tempt the end user to grant remote access or perform other unauthorized actions. Grayware typically includes scams, adware, and other unwanted or unsolicited applications, such as embedded crypto miners or hijackers that change the elements of the browser (such as the default landing page, search engines, or installing an extension for tracking purposes).

 

What happens if I don’t change Grayware to BLOCK as the action?

If you do not change the default action of the grayware category to block, your network will allow all attempted connections to grayware-related URLs to succeed and your users will have access to these websites.

 

Why is Grayware not set to block by default?

The ability  to set the default action for the default profile to BLOCK is available only in PAN-OS 8.0.2 and later releases. Only customers running PAN-OS 8.0.2 or a later release will automatically have their default action set to BLOCK and only in the default profile. This functionality is not available in earlier releases of PAN-OS software. 

NOTE:  for PAN-OS 8.0.2 and later releases, you should check to ensure that the action is properly updated to BLOCK within your default profile.

 

If you have multiple URL Filtering Security profiles, you need to update the default action to BLOCK for each of these profiles. This applies to all versions of PAN-OS software.

 

Cryptocurrency

How is Cryptocurrency defined?

Palo Alto Networks defines the Cryptocurrency category as websites that promote crypto currencies, crypto mining websites (but not embedded crypto miners), crypto currency exchanges and vendors, and websites that manage crypto currency wallets and ledgers.  


This category does not include traditional financial services websites that reference crypto currencies, websites that explain and describe how crypto currencies and block chains work, or websites that contain embedded crypto currency miners (grayware).

 

What is the recommended action for the Cryptocurrency category?

By default, the Cryptocurrency action is set to “alert” only for the default profile. If you have multiple URL Filtering Security profiles, you need to update the default action to “alert” for each of these profiles if you want consistent alerting across all profiles.  This applies to all versions of PAN-OS software.

 

Please consult your legal and privacy teams if you choose to allow and decrypt this category to account for any Personally Identifiable Information (PII).

 

Implementation Schedule

When will the Grayware and Cryptocurrency categories be available?

The Grayware and Cryptocurrency categories will be visible on the administrator management console but we will not use these categories to classify web pages until January 2020. During this time, you are able to update your policy action for these new categories. After Palo Alto Networks begins to label existing and new URLs using these two new categories, all Grayware and Cryptocurrency URLs will be classified as such and your configured policy actions will be enforced on the firewall accordingly.  

 

When will Palo Alto Networks start to use the Grayware and Cryptocurrency categories?

The use of Grayware and Cryptocurrency categories is scheduled to begin in mid-January 2020. This blog will be updated when both categories are fully functional.  

 

18,432 Views
Comments
L1 Bithead

Hello,

 

Would it be possible to get some information on how sites in the upcoming Cryptocurrency category are being categorized presently?  

 

Thank you,

- Steve

13,680 Views
Community Team Member

@stevenkadish , I wish that I could provide exact details about how URL Categories are determined.. but that is a little like revealing the KFC Secret Recipe.  OK.. maybe not like that.. but if you are interested in what our URL Categorization will be like for a certain URL, you can test it your self here:

https://urlfiltering.paloaltonetworks.com/

 

As far as the complete list of other URL Categories.. you can find them here:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5hCAC

Keep in mind until those NEW categories (as documented above) become active, we will not list those categories on this list.

 

13,544 Views
Community Team Member

OH, and if you had any issue with what URL category a certain URL was given, you can always request a re categorization.. on that same "test a site" above, there is a Request Change link to make the request.

You also have an option to do this same thing inside of the Palo Alto Networks WebGUI Dashboard when looking at the URL Category of any URLs.

13,537 Views

When are these new categories be available in Panorama? I was able to see them in the firewall but not in Panorama.

 

Thank you.

13,531 Views
Community Team Member

From what we have been told: 

"When will the Grayware and Cryptocurrency categories be available?

The Grayware and Cryptocurrency categories will be visible on the administrator management console but we will not use these categories to classify web pages until January 2020. "

 

These should show up in Panorama just like in the Firewall inside of the Dynamic Updates. 

I would wait a week and see if they show up in Panorama..  But they should show up soon.  

13,519 Views
L2 Linker

@stevenkadish current cryptocurrency related sites are categorized as Financial Services.  

 

@guillermogarciaperez You should see these in Panorama now.  The content update would have applied to Panorama as well.  We just took a look and our test Panorama has the new categories.  Can you verify your Panorama has received the content update package (#8206)?  

 

 

13,472 Views
L0 Member

Hi, 

 

Do you know if the option of blocking grayware files is in the pipeline? Right now, it is only possible to log it

13,271 Views
L2 Linker

@jesperc Blocking of grayware files via URL Filtering is not available as we're only able to categorize URLs.  If the URL is for downloading a grayware file, then we would categorize that as such.  And if you have your policy to block grayware, then the user would never get to the site to download the file.  

 

If you have WildFire, you can set it to block grayware files.  

 

 

13,005 Views
L0 Member

@neg273 I should have been clearer as the question wasn’t related to URL filtering. We have Wildfire and I can see grayware flowing through without the option of blocking it in the firewall. So, my question was related to this feature being added. We will use the new URLs, so hopefully that will make the file block feature less relevant.

 

If this is already an option, can you tell me where I set it up or point me to the relevant documentation? I haven’t been able to find it.

12,876 Views
L1 Bithead
Hello- Currently you cannot block files based upon greyware verdicts within PAN-OS; this can only be accomplished at the endpoint with Traps. HTH!
12,690 Views
L0 Member

I added a new URL filter with Cryptocurrency and Grayware to blocked then I applied to a security Profile Group.

 

12,648 Views
L0 Member

A Test page like this one http://sophostest.com/  would be nice. Can PAN provide something?

580 Views
L1 Bithead

Something like?

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClaDCAS

 

Appears it just needs to be updated with the new categories.

437 Views
L0 Member

@Jeff-Behmthats it. Nice one. Thanks.

23 Views
Ask Questions Get Answers Join the Live Community
Labels