Chrome Updater not working if EXE is blocked / application not recognized

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Chrome Updater not working if EXE is blocked / application not recognized

L0 Member

Hi,

in one customer setup we face the following problem: We disabled EXE file downloading. In order do allow services to update we use an application filter with subcategory update and allow that traffic. Works like a charm for google-update, ms-update etc. However today I noticed tons of blocks from xxxxxx_Chrome_updater.exe (xxxxx being date, version etc.). The application is "web-browsing". So the update process is not discovered as being an update application. Is this an error or missing feature in the app-id? How can I whitelist this or make a custom application out of this? We see this more often with special EXEs we need to whitelist. Any idea of how to achieve this?

Kind regards,

  JP

3 REPLIES 3

L6 Presenter

1) You posted in wrong subforum - hopefully someone from PA could move your thread so more people will notice it 🙂

2) You can request app enhancement from the Apps and Threats Research Center.

http://www.paloaltonetworks.com/researchcenter/tools/

From there you can click on Submit an app and provide details there.

3) As workaround I think you can do an "application override" if you have something to trigger at. Like:

dsturl: update.google.com

appid: web-browsing

file: .exe

new appid: google-update

Hi.

ad 1) sorry. which one would have been more suitable? Still have to find my way around Jive I suppose...

ad 2) Done.

ad 3) This is more or less exactly what I want. But I fail to see where/how to do this.

dsturl: update.google.com does not exist. I am trying to figure out which one is the correct URL. I started a pcap and hope that the next request will show the necessary information.

But how do you configure this sort of application override? The ones I know are based on source/destination IP/port not application/file etc. I could create a new application which is based on signatures but how? Where to put the url (request uri?) and how to match on the filename (I would need a regex for that if regex is supported).

Kind regards,

  JP

1) Click on Home in the upper left then on KnowledgePoint and finally Discussion 🙂

3) Oops sorry... application override doesnt act on url. However you can go for dstip (which I guess wont work in this case since its Google we speak about and too many ip's).

Custom application would then be the way to go...

I think something like this might help you:

parent-app: web-browsing

defaults port: tcp/443 (assuming its using https only)

ip protocol: 6 (tcp)

scanning: file-types, data-patterns, viruses

and then the actual signature... check page 171 in the admin guide for examples.

Since this is mainly to allow traffic I think you should be as narrow as you possible can.

Dont forget to have ssl-termination running in order to inspect the https contents.

  • 2857 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!