Newly registered domains - how does PANDB classify them?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Newly registered domains - how does PANDB classify them?

L4 Transporter

I'm not really sure how to title this one but here goes Smiley Happy

A great many of the links in cryptolocker/zeuss type stuff links to domains that are brand new, yet quite a few of them seem to be in PAN-DB in categories like "Shopping" or "Business and Economy".

If I go out tomorrow and register a domain, presumably at that point it's "Unknown".

What's the process by which it ends up in a given category in PANDB please?

http://whois.domaintools.com/yoyosasa.com

http://whois.domaintools.com/wawamediana.com

http://whois.domaintools.com/qoweiuwea.com

http://whois.domaintools.com/khalisimilisi.com

http://whois.domaintools.com/dominikanabestplace.com

http://whois.domaintools.com/yaroshwelcome.com

As some examples of recent stuff.

8 REPLIES 8

L6 Presenter

Please refer following document to submit URL change request for PAN-DB.

How to Submit a Mis-Categorized URL for PAN-DB

L7 Applicator

Hello Networkadmin,

If there is a new domain and PAN-DB database doesn't have that information, it will send a query to the cloud and cloud will update to the PAN FW'.

For example:If there is a new domain cretead today as abcd.com, immedeately the PAN firewall will categorize as "unknown", but as soon as it will send a query and get the correct category information it will update it's data-base.

Thanks

L5 Sessionator

Hi networkadmin,

Generally speaking, for non-malware related URLs, PAN-DB will crawl and categorize domains as we see them.  This can happen either because our crawler has found a new site, someone has submitted a change request for an unknown site, or because a customer device queried our servers for that URL.  As HULK mentioned above, once we see an unknown on our servers, we will put that in a prioritized queue for crawling and classification.  Once we determine a category, it will get included in the next database refresh. 

For malware domains, PAN-DB will categorize a URL/IP as malware as long as WildFire has associated it with malicious activity.  Regarding the Cryptolocker lists published by the FBI/Infragard, we do subscribe to such lists, and we will create threat signatures around them, as well as feed the domains/IPs listed into PAN-DB.  For those malware families that utilize DGAs, we will phase in DNS signatures as those domains go live (typically a few days before), and then disable them as they get taken down.  In the past, once we disabled signatures, we also removed the corresponding entries in PAN-DB.  Starting with the most recent InfraGard list (Cryptolocker/GameOverZeus), we started adding all domains at once to PAN-DB, and will keep them categorized as malware until otherwise notified.

As for your list of examples, I checked PAN-DB, and we currently categorize all of them as malware with the exception of the first two.  If you have additional examples of URLs from the InfraGard list that is not categorized as malware, please send me a private message and I can check them for you and see what's going on.

Thanks,

Doris

Hi Doris, thanks for that really detailed reply - appreciate it Smiley Happy

I guess I'm trying to understand how the two domains that weren't malware were classified as anything other than malware?

I'm not asking to criticise, I'm genuinely curious as there must be thousands if not more domains registered daily - I'd assumed they'd all go into "unknown" until some manual process happened?

Hi networkadmin,

You are correct.  By default, any newly registered domain will be "unknown" in PAN-DB until we've taken a look at it - either manually by our analysts/threat team, or via our crawler (triggered on some event). Our threat team took a look at the list you sent, and they are from a non-critical list published by InfraGard recently.  As mentioned, most of these have been included in PAN-DB already as "malware", but the two exceptions did not resolve, and thus were not included in PAN-DB. 

--Doris

does anyone know which version of PAN OS is required to get the "Newly Registered Domains" category?? I'm running version 8.1.15 and I don't see that Category is the list.

 

That is a feature of PAN-OS 9.0, documented in our new features guide.

Help the community! Add tags and mark solutions please.

Awesome thanks so much for the info. I suspected that was the case, as i also have firewalls running the 9.x code and they have that category.

 

  • 6390 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!