This document describes how to verify the trigger direction of spyware signatures for downloaders that appear in the threat log.
The signatures in the table below detect malicous downloaders attached to emails. The signatures work for both SMTP and POP3, in other words, they can detect both cases; a). when the attacker sends the file inbound over SMTP and b). when the victim downloads the file from the mailserver over POP3.
|14700||Locky.LNKDownloader.Gen Script Detection||server-to-client|
The "direction" of the signatures is set as server-to-client except for ID: 14283(this is just for logging purposes in the threat log, they will still trigger in either direction). We have updated the "direction" of ID: 14283 to client-to-server in order to cover most common scenario.
172.28.30.225 : POP3 server / SMTP server
192.168.226.225 : Mail client (User)
Threat ID : 14283
Malicious email is sent over the firewall from the client to the SMTP server, then the email is received from the POP3 server to the client.
Here's the part of the threat log exported as a csv file from the firewall.
In case of POP3, since the direction is client-to-server, it looks as if the attack was performed by the user against the server from 192.168.226.225 to 172.28.30.225.
In the same manner, if the direction of the signature is server-to-client and in case of SMTP, the threat log appears in opposite direction.
This is a limitation of the way direction for writing the threat logs is designed for threat signatures and this is an expected result.