Advanced Threat Prevention Discussions

Welcome to the Threat & Vulnerability Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

Amazon CDN triggering lots of 38716 threats (library loading elevation of privilege)

Hello, Have anyone else noticed a very large flood of triggered 38716 threat warnings comming from Amazon CDN? That is just a very short fragment: 2018-02-26 13:301801032072THREATvulnerability2018-02-26 13:3052.222.174.180192.168.2.199Microsoft Windows library loading elevation of privilege vulnerability(38716)2018-02-26 13:301801032072THREATvul...

SMB: User password brute force

We have been seeing SMB: User Password Brute Force Attempt threats coming into our logs. We are not seeing a UN accompanied with the the traffic and the are using port 445. This just popped up recently and we are not seeing anything malicious on the client or the DC which is being reached out to. We are trying to identify what might be causin...

Minemeld service doesn't start and cannot access the web page giving 403 error

hello,we have an issue in minemeld service disabling access to the web server giving 403 error.The details is in screeshots.Any help please ?

Vulnerability block more than 3600 seconds.

Hello there, We have a constant brute force attempt on port 25 of our email server. We put the vulnerability profile to block these attacks and consequently block the ip for 3600 seconds, however in some cases this ip will try again immediately after the maximum blocking time. Is there any way to increase this type of attack for 1 day of blockin...

Block hash value

Hi Team How to block below hash value. Please help us4ad20bcd0f915acba7817e0639fcbf4f713beb8ac35112134808d4e5f753d51986800f9e3b563eaeba1d84d431b83405b2118300c0ad2deab39a093d4b9093c596a64cccb55f7b42711015054ddd6ac45459643aa17c13248c6e344dc787cbfdaad97a08a139e8dff1f02f73479a5b00ecca5b512f627082f9c589fd63479c83b3daf217ca7339ad9e738f087135af8f63fd46...

The production application triggered the "HTTP SQL Injection Attempt" threat alert, resulting in the

hi Team.Our production application triggered the "HTTP SQL Injection Attempt" threat alert, mainly ID: 33338 and ID: 36056 and ID: 36239 and ID: 54608; affecting the production business; an exception has been made, how can we determine which SQL statements triggered these threat IDs; we want to fix these vulnerabilities with such information. Th...

DLP Regex pattern does not work

hi all, I'm trying to add a regex data pattern for the word Orion. It works everywhere, but Palo Alto just refuses to except it and gives no reason. This is standard regex syntax ([oO][rR][iI][oO][nN]) I need the word "orion" in every possible combination of capital or lower case. The vendor is at a loss as well and we are stuck. Any help would...

About vulnerability protection and url filter action

I set medium to drop in the vulnerability protection profile, but when I check the log, Severity is medium, but action is alert. Why not drop? If you check the verbose log, the type is url and action is alert. Severity is informational. In this case, isn't url processing prioritized and not dropped?

To block unauthenticated inbounds connections by default.

Hello everyone,I am a newbie here. Perhaps anyone here can tell me how to set my PA-28 firewall to block unauthenticated inbounds connections by default. Thanks

Exact threat details

Hi, Is there a way to know what a specific threat ID checks for? We enabled SSL inspection for SMTP traffic and Palo started to flag every e-mail with threat ID 56951 (non-RFC compliant SMTP traffic), but ThreatDB does not provide anything useful as to what/how it is non-compliant. E-mails were received from a proper e-mail server running an o...

Nat/Firewall Bypass Attack how palo alto protect from

A new research has demonstrated a technique that allow an attacker to bypass firewall protection and remotely access any TCP/UDP service on victim machine.https://thehackernews.com/2020/11/new-natfirewall-bypass-attack-lets.html

Some Malicious Hash File Value not detected by Palo Alto Engine

Hi Team, We have received some list of Malicious HASH files and asked us to take the necessary action. But while checking we didn't see the below listed Hash is not covered in Threat Vault. I want to know why the below mentioned Hash value is not detected in our Palo Alto Engine as a malicious file type due to this we don't have coverage on this...

VideoLAN - Virus/Win32.WGeneric.ashtnf

I am noticing that when either trying to download the latest VideoLAN player from their site, or updating via their application, the PAN is detecting the EXE as Virus/Win32.WGeneric.ashtnf. Is anyone else seeing this behavior? Thanks

Teardrop Packet Buffer Overflow - SCCM TFTP

Hello,On our PA-5220 we hade 3 instances when our Packet Buffer Protection has been crippled by traffic from an SCCM server to a host.Protocol TFTP UDP, when VM's gone threw PXE boot and on file transfers from SCCM.Symptoms are that latency goes upp well above 800ms crippling the network and 'show running resource-monitor ingress-backlogs' is w...

Severity High and medium action are getting allow instead of block

Hi All,After upgrade to 9.1.5, i noticed the Severity level high and medium threat actions are allowed and some of them are getting sinkhole. Please let us know if anyone knows why it's getting alert instead of the block in high severity. Attached screenshots

Discussions