New URL Filtering Categories: Grayware and Cryptocurrency

L3 Networker

Edit:  Dec 10, 2019 @ 1:28PM PT - added test URLs for grayware and cryptocurrency

 

Beginning with content release version 8206, we added two new URL Filtering categories:  “Grayware” and “Cryptocurrency.”

 

ACTION:  Administrators should immediately set their grayware category to BLOCK due to the obtrusive behavior from these websites. Palo Alto Networks recommends that you also subscribe to this FAQ for updates as they become available.

 

Grayware

How is Grayware defined?

Palo Alto Networks defines Grayware as websites that do not pose a direct security threat but that display other obtrusive behavior and tempt the end user to grant remote access or perform other unauthorized actions. Grayware typically includes scams, adware, and other unwanted or unsolicited applications, such as embedded crypto miners or hijackers that change the elements of the browser (such as the default landing page, search engines, or installing an extension for tracking purposes).

 

What happens if I don’t change Grayware to BLOCK as the action?

If you do not change the default action of the grayware category to block, your network will allow all attempted connections to grayware-related URLs to succeed and your users will have access to these websites.

 

Why is Grayware not set to block by default?

The ability  to set the default action for the default profile to BLOCK is available only in PAN-OS 8.0.2 and later releases. Only customers running PAN-OS 8.0.2 or a later release will automatically have their default action set to BLOCK and only in the default profile. This functionality is not available in earlier releases of PAN-OS software. 

NOTE:  for PAN-OS 8.0.2 and later releases, you should check to ensure that the action is properly updated to BLOCK within your default profile.

 

If you have multiple URL Filtering Security profiles, you need to update the default action to BLOCK for each of these profiles. This applies to all versions of PAN-OS software.

 

Cryptocurrency

How is Cryptocurrency defined?

Palo Alto Networks defines the Cryptocurrency category as websites that promote crypto currencies, crypto mining websites (but not embedded crypto miners), crypto currency exchanges and vendors, and websites that manage crypto currency wallets and ledgers.


This category does not include traditional financial services websites that reference crypto currencies, websites that explain and describe how crypto currencies and block chains work, or websites that contain embedded crypto currency miners (grayware).

 

What is the recommended action for the Cryptocurrency category?

By default, the Cryptocurrency action is set to “alert” only for the default profile. If you have multiple URL Filtering Security profiles, you need to update the default action to “alert” for each of these profiles if you want consistent alerting across all profiles.  This applies to all versions of PAN-OS software.

 

Please consult your legal and privacy teams if you choose to allow and decrypt this category to account for any Personally Identifiable Information (PII).

 

Implementation Schedule

When will the Grayware and Cryptocurrency categories be available?

The Grayware and Cryptocurrency categories will be visible on the administrator management console but we will not use these categories to classify web pages until January 2020. During this time, you are able to update your policy action for these new categories. After Palo Alto Networks begins to label existing and new URLs using these two new categories, all Grayware and Cryptocurrency URLs will be classified as such and your configured policy actions will be enforced on the firewall accordingly.  

 

When will Palo Alto Networks start to use the Grayware and Cryptocurrency categories?

The use of Grayware and Cryptocurrency categories is scheduled to begin in mid-January 2020. This blog will be updated when both categories are fully functional.

 

What are the Palo Alto Networks test URLs for Grayware and Cryptocurrency?

The test URL for grayware is: https://urlfiltering.paloaltonetworks.com/test-grayware

The test URL for cryptocurrency is: https://urlfiltering.paloaltonetworks.com/test-cryptocurrency

25,307 Views
Comments
L1 Bithead

Hello,

 

Would it be possible to get some information on how sites in the upcoming Cryptocurrency category are being categorized presently?  

 

Thank you,

- Steve

20,555 Views
Community Team Member

@stevenkadish , I wish that I could provide exact details about how URL Categories are determined.. but that is a little like revealing the KFC Secret Recipe.  OK.. maybe not like that.. but if you are interested in what our URL Categorization will be like for a certain URL, you can test it your self here:

https://urlfiltering.paloaltonetworks.com/

 

As far as the complete list of other URL Categories.. you can find them here:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5hCAC

Keep in mind until those NEW categories (as documented above) become active, we will not list those categories on this list.

 

20,419 Views
Community Team Member

OH, and if you had any issue with what URL category a certain URL was given, you can always request a re categorization.. on that same "test a site" above, there is a Request Change link to make the request.

You also have an option to do this same thing inside of the Palo Alto Networks WebGUI Dashboard when looking at the URL Category of any URLs.

20,412 Views

When are these new categories be available in Panorama? I was able to see them in the firewall but not in Panorama.

 

Thank you.

20,406 Views
Community Team Member

From what we have been told: 

"When will the Grayware and Cryptocurrency categories be available?

The Grayware and Cryptocurrency categories will be visible on the administrator management console but we will not use these categories to classify web pages until January 2020. "

 

These should show up in Panorama just like in the Firewall inside of the Dynamic Updates. 

I would wait a week and see if they show up in Panorama..  But they should show up soon.  

20,394 Views
L3 Networker

@stevenkadish current cryptocurrency related sites are categorized as Financial Services.  

 

@guillermogarciaperez You should see these in Panorama now.  The content update would have applied to Panorama as well.  We just took a look and our test Panorama has the new categories.  Can you verify your Panorama has received the content update package (#8206)?  

 

 

20,347 Views
L0 Member

Hi, 

 

Do you know if the option of blocking grayware files is in the pipeline? Right now, it is only possible to log it

20,146 Views
L3 Networker

@jesperc Blocking of grayware files via URL Filtering is not available as we're only able to categorize URLs.  If the URL is for downloading a grayware file, then we would categorize that as such.  And if you have your policy to block grayware, then the user would never get to the site to download the file.  

 

If you have WildFire, you can set it to block grayware files.  

 

 

19,880 Views
L0 Member

@neg273 I should have been clearer as the question wasn’t related to URL filtering. We have Wildfire and I can see grayware flowing through without the option of blocking it in the firewall. So, my question was related to this feature being added. We will use the new URLs, so hopefully that will make the file block feature less relevant.

 

If this is already an option, can you tell me where I set it up or point me to the relevant documentation? I haven’t been able to find it.

19,751 Views
L1 Bithead
Hello- Currently you cannot block files based upon greyware verdicts within PAN-OS; this can only be accomplished at the endpoint with Traps. HTH!
19,565 Views
L0 Member

I added a new URL filter with Cryptocurrency and Grayware to blocked then I applied to a security Profile Group.

 

19,523 Views
L0 Member

A Test page like this one http://sophostest.com/  would be nice. Can PAN provide something?

7,455 Views
L1 Bithead

Something like?

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClaDCAS

 

Appears it just needs to be updated with the new categories.

7,312 Views
L0 Member

@Jeff-Behmthats it. Nice one. Thanks.

6,898 Views
L3 Networker

@Jeff-Behm Correct!  I am working on having two new test URLs created for grayware and cryptocurrency.  As soon as I have those, I will update the FAQ and post a comment to notify everybody.  

6,817 Views
L3 Networker
L0 Member

Sounds good @neg273 but have a look here https://urlfiltering.paloaltonetworks.com/ the Category: Computer and Internet Info

Sounds not good.

455 Views
L1 Bithead

Hi,

 

Both of the test pages are categorized as "computer-and-internet-info" as of URL DB 20191211.20247.

 

Thanks,

- Steve

361 Views
L1 Bithead

Hi,

 

In addition to Steve's note, the options for requesting re-categorization no longer includes the two categories. Is it possible Palo Alto Networks has discontinued the use of the new categories?

335 Views
L3 Networker

@stevenkadish and @bwMoritz Sorry about that!  Having engineering look at it right now. 

 

@VAbrahamson We jumped the gun with the two new categories for re-categorization requests.  We removed it for the time being until we actually start publishing these two new categories.  Once we are live with these two new categories, you will see these as options for re-categorization requests.  Apologies for the confusion. 

 

294 Views
L3 Networker

@stevenkadish and @bwMoritz I spoke to engineering about this.  Unfortunately, we cannot categorize these two test URLs into grayware and cryptocurrency until the system is live.  We are expected to go live in late January 2020.  Apologies for the confusion.

196 Views
Ask Questions Get Answers Join the Live Community
Labels