antivirus block action for mail protocols

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

antivirus block action for mail protocols

L2 Linker

Hey guys,

at a customer's location we have a PA for evaluation. Now we found that 2 viruses have been reported via SMTP. The AV policy was set to block for smtp.

Now the question is, how has this been treated. In the ACE exam there was the correct answer that it only alerts even if it set to block, but maybe this has changed in panos 5.0.6? Would be great to know, if the customer has a virus we could disinfect as a service or that the PA successfully defended the "holy grounds" Smiley Wink

1 accepted solution

Accepted Solutions

L4 Transporter

If the firewall detects a virus or spyware in SMTP, a 541 response is sent to the sending SMTP server to indicate that the message was rejected. This allows the Palo Alto Networks firewall to effectively block viruses distributed over SMTP.

For POP3/IMAP, the only action the firewall will ever take is “alert”. The device will never block or drop for these protocols, even if you configure an action of “block”.

View solution in original post

4 REPLIES 4

L5 Sessionator

Hi,

Alert is just log the alert but do not block

Block is log the alert an block the stream.

Hope help

V.

L4 Transporter

If the firewall detects a virus or spyware in SMTP, a 541 response is sent to the sending SMTP server to indicate that the message was rejected. This allows the Palo Alto Networks firewall to effectively block viruses distributed over SMTP.

For POP3/IMAP, the only action the firewall will ever take is “alert”. The device will never block or drop for these protocols, even if you configure an action of “block”.

thanks for that Smiley Happy

Hi,

just saw this threat because it was referenced in another Threat.

"For POP3/IMAP, the only action the firewall will ever take is “alert”. The device will never block or drop for these protocols, even if you configure an action of “block”."

--> This is not correct.

If you set "block" Action the PA will terminate (Reset) a Session is a Virus is found in Pop3/IMAP.

Be aware that you will not be able to get any new Mail from this Server until you delete the Virus on Server Site.

(Because everytime your Client requests new Mails your whole Session to the Server will be reset, not only the one with the Virus in it)

Regards

Marco

  • 1 accepted solution
  • 5347 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!