Advice blocking URl/ZIP

Reply
L4 Transporter

Advice blocking URl/ZIP

Hi,

We are receiving the same emails,which last 28/11/14, infected our system with cryptoloker. These links come from different domains but have in common the following url

http://xxxxxxxx.xx/Billing/invoice.zip. How could we avoid that if someone clicks the link, not end infecting our systems?

any advice?????

thanks

L4 Transporter

Re: Advice blocking URl/ZIP

Hello COS

Do You have av/threat/WildFire protection applied on security rules that passing traffic to internet?

Have You latest updates applied? Cryptolocker is well known malware (but it's still changing its code). Did You create a  support case for this false positive?

In my opinion You have to create data filtering if the filename is always "invoice.zip" I try to find examples in archiwum but I didn't find any examples how to get it.

I hope that someone give You examples.

Regards

Slawek

L4 Transporter

Re: Advice blocking URl/ZIP

we have only URL filtering license. We have updated the virus/threats signatures. We have thought add in block list (URL filtering profile) this line */invoce.zip

it would work?

L4 Transporter

Re: Advice blocking URl/ZIP

Did You read:

http://researchcenter.paloaltonetworks.com/2014/07/banking-security-best-practices-zeus-cryptolocker...

http://researchcenter.paloaltonetworks.com/2013/11/palo-alto-networks-can-stop-cryptolocker/

Please follow this documents carefully, Cryptolocker isnt a "simple" malware, so without additional licences I think that i will be hard to detect and stop them

Regards

Slawek

L4 Transporter

Re: Advice blocking URl/ZIP

which license is necessary to use FILE BLOCKING???

we have only URL FILTERING and THREAT PREVENTION licenses.

L4 Transporter

Re: Advice blocking URl/ZIP

According to Data Filtering and File Blocking - Palo Alto Networks and my understanding it using THREAT PREVENTION licenses

Regards

Slawek

L3 Networker

Re: Advice blocking URl/ZIP

Are you using a spam filter? May be blocking the incoming emails filtering by attachment or content may be a quicker solution.

Or create a data filtering profile for file type .zip, direction = download, with regex to match invoice.zip, and then apply it to your security policies. Note: I haven't tested this.

Larry

L6 Presenter

Re: Advice blocking URl/ZIP

Yet another option to help you prevent further infections...

http://xxxxxxxx.xx is most likely a shady domain.

You can respond the DNS Query with a Honeypot IP and do DNS Sinkhole, thus preventing the infection.

Check out:

https://live.paloaltonetworks.com/docs/DOC-6220

L4 Transporter

Re: Advice blocking URl/ZIP

Hello

The problem is the mail sender and the name of  attached file within changes, this happened several weeks ago and I created a rule tu deny the source, but now the source is different and also the file name.

So data-filtering to deny incoming zip files with the regex "invoice.zip" won't be usefull in the future, and redirect the web page to a honeypot or sinkhole has the same problem, it changes in time.

I read the post from Slawek and could be usefull. I will kept you inform.

best regards

Gonzalo

L4 Transporter

Re: Advice blocking URl/ZIP

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!