Why viruses/spywares passes PA device unblocked?

Reply
L4 Transporter

Why viruses/spywares passes PA device unblocked?

Hello

Until now I trusted that default configuration for most purposes is OK.

Today I discovered that few viruses passes in smtp traffic to my email server. I'm curious why?

2013-11-28_133859_1.jpg

when in web-broswing traffic the same type of aplication "virus" was denied.

My security rule:

2013-11-28_134710.png

it using profile "servers". This profile looks like:

2013-11-28_134746.png

so it's using antyvirus profile "default". I believed that this profile will block every kind of viruses.

2013-11-28_134908.png

Please tell me what I done wrong and how to change to block every kind of viruses and other unwanted stuff.

My second problem is related to spyware, and again two strange behaviors:

2013-11-28_140823.png

2013-11-28_140940.png

We have the same source and security. Why it's one time blocked but another not?

2013-11-28_141356.png

so the "anti spyware" and "volnerability protection" uses strict profiles that looks likes:

2013-11-28_141553.png

2013-11-28_141607.png

Please help me!

With regards

SLawek

L4 Transporter

Re: Why viruses/spywares passes PA device unblocked?

The default action for smtp is alert not block. You need to change that in your AV Profile.

For the AntiSpyware feature. This is controlled by the AntiSpyware Profile. The DNS interception is configured under the TAB "DNS Signatures" which is either set to alert allow or block.

In your case it seems the AS profile has been changed between 07:29:05 and 22:16:56.

rgds

Roland

L4 Transporter

Re: Why viruses/spywares passes PA device unblocked?

Hi Roland

I changed AV profile (I created my new one and set up to block).

AS profile uses strict profile for both desktops and servers profile groups. I didn't change anything in it since months.

Today I can't find in threat log any entries that has alert action - so myabe it's my fault.

Regards

Slawek

L3 Networker

Re: Why viruses/spywares passes PA device unblocked?

you need to be aware that when you set smtp to block, the sender will keep trying to send the email until it's timing out.

Highlighted
L4 Transporter

Re: Why viruses/spywares passes PA device unblocked?

Hi bartoq

I know that isn't a good idea, but do I have other options?

If I set alert for smtp I will get virus on my SMTP server. I'm using opensource ClamAV on it and I'm not sure that it will catch such virus too.

If I have to choose between problems with recieving emails from internet - I don't care of it - email with virus is a unwanted email for me sent intentionally or accidentally (through an infected computer) or getting computers infected I choosing the first options.

How are You have setet up AV profiles?

I think that good option now for me will be to monitor how AV and AS works. So I went to Custom Reports and I try to create one for it.

I think that I should use Traffic Logs and filter with action=block but there isn't such option:

2013-11-30_140521.png

2013-11-30_140554.png

So my question is how to make report that will cover every situation when PAN will block something using Antivirus/Anti Spyware/Vulnerability Protection?

In my opinion report is only way to get informstion what is goin on.

How do you deal with such problems? I hope that many people will read this topic and I hope that will share their solutions.


With regards

SLawek

L4 Transporter

Re: Why viruses/spywares passes PA device unblocked?

Dear,

From:Threat Prevention Deployment Tech Note

Note: The reason why SMTP, POP3 and IMAP have the default action set to ALERT is because in most cases there is already a dedicated Antivirus gateway solution in place for these protocols. Specifically for POP3 and IMAP, it is not possible to clean files or properly terminate an infected file-transfer in-stream without affecting the entire session. This is due to shortcomings in these protocols to deal with this kind of situation

From: Re: antivirus block action for mail protocols

For POP3/IMAP, the only action the firewall will ever take is “alert”. The device will never block or drop for these protocols, even if you configure an action of “block”.

Kind regards,

Bob

Not applicable

Re: Why viruses/spywares passes PA device unblocked?

hi bdeschut

I have already found the same descriptions that you have in the PANOS docs, but how are palo alto devices then meant to protect against virus and malware\spyware,

coming into the network from peoples personal webmails and other personal apps using pop3 or IMAP ?

are there no solution to use palo alto devices to stop virus that comes with trafic using these protocols ?

Is it simply a matter of totally blocking everything that has to do with pop3 and IMAP, from entering the network ?

there must be a way to filter and protect users even if they are using these protocols, or m I wrong ?

L2 Linker

Re: Why viruses/spywares passes PA device unblocked?

Is someone got an answer for this kind of issue? I'm also in the process of modifying the default profile for Antivirus and set a block rule for smtp, pop3 and imap of PA detected an anomaly on it's payload. Is it a good practice?

L3 Networker

Re: Why viruses/spywares passes PA device unblocked?

Hi, just to correct the previous Statement from the other Threat:

###

"For POP3/IMAP, the only action the firewall will ever take is “alert”. The device will never block or drop for these protocols, even if you configure an action of “block”."

###

--> This is not correct.

If you set "block" Action the PA will terminate (Reset) a Session is a Virus is found in Pop3/IMAP.

Be aware that you will not be able to get any new Mail from this Server until you delete the Virus on Server Site.

(Because everytime your Client requests new Mails your whole Session to the Server will be reset, not only the one with the Virus in it)

Regards

Marco

L4 Transporter

Re: Why viruses/spywares passes PA device unblocked?

Hey Marco,

I think you are right here!

Setting it to block for POP3 will definitely block it, but in the process "break" the POP3 account as you explained.

Thank you for setting this straight.

* POP3/IMAP + block -> You can not get a new email from this server until the virus email is deleted from the server. Otherwise the whole POP3 session will be dropped each time you retry to retrieve you emails.

* SMTP + block -> An SMTP 541 error message will be sent as part of the block action when a virus is detected. This will tell the mail server not to retry sending the message, allowing the firewall to drop the mail without the mail server trying to resend it. So I don't realy see why the default action would be just alert. I guess some smtp servers will not listen to these 541 error messages and keep resending the email...

You may also find that in the latest PaloAlto admin guide (6.1) there is no mention anymore of the "it's not possible to block POP3 virus".

They just skim right over the topic and don't mention why the default action is alert instead of block for certain protocols.

The default profile inspects all of the listed protocol decoders for viruses, and generates alerts for SMTP, IMAP,

and POP3 protocols while blocking for FTP, HTTP, and SMB protocols. Customized profiles can be used to

minimize antivirus inspection for traffic between trusted security zones, and to maximize the inspection of

traffic received from untrusted zones, such as the Internet, as well as the traffic sent to highly sensitive

destinations, such as server farms.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!