Advanced Threat Prevention Discussions

Welcome to the Threat & Vulnerability Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

When can we expect PAN signatures for CVE-2019-6340

https://www.drupal.org/sa-core-2019-003

How to allow a specific Youtube video while all the rest of Video-Streaming websites are blocked

Hi Everyone, I followed this thread posted a number of years back and my issue is not yet solved:https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Allow-a-Single-Facebook-YouTube-or-Twitter-Page/ta-p/57542 Basically, Video-Streaming in general as a category is blocked in our company and i need to unblock a specific youtube video.I ha...

unknown threat name

Our firewall detected a spyware "C2-Bitsight-Prirrit" with threat id 15006. But I can't find any information about this spyware on Palo Alto's support site. The id seems non-exist. Could it be a mistake?

How will threat functionality work with asymmetric routing

I would like to understand what will happen to Threat Protection and AntiVirus(TPAV) in the following case. Both firewalls have "allow" non-syn-tcp turned on. Each firewall is only seeing half of the session and has no idea about the other half. My questions is will Palo be able to detect any threats or vulnerabilities, (or) does it need to se...

Exempt domain name instead of exempt ip address for vulnerability

Hello, We get large amount of high severity threat alarm when users visit Yahoo, they were triggered by this url s.yimg.com/aaq/yc/js/tdv2-applet-canvass.8739955d2bd825cb0aa2.min.js ( 8739955d2bd825cb0aa2 is a random string that changes everytime ). I would like to setup an exception for s.yimg.com, but its ip always changes too and you can only...

Test that a Threat Signature is Enabled?

Hello, Is there a way of testing if a specific Threat Signature is enabled? I recently automated critical threat signatures. both vulnerabilities and anti-spyware, to be set to reset-both, but I want to make sure it is working and the new critical signatures are indeed enabled and ready to reset-both. I have done some random searches and haven't...

Finding the offending file associated with threat event

I’m having an issue identifying the offending file that triggered a vulnerability detection. We had an IT admin transfer a large batch of files across a network segment that traveled on of or PA firewllls. One of the transfers triggered an alert for an Adobe Reader remote code execution signature. The “file name” in Panorama shows “content.xml” ...

class not found

Hello,I wrote a prototype from panos class.then created local prototype in committer-config.yml, restarted minemeld, everything is up and running.Then I created the prototype in /opt/minemeld/local/prototypes/***.yml, I can see it in Web UI.I cloned it and tried to COMMIT. I receive error class panos is not found. Here is the engine log 2018-11-...

Threat Logs

I believe I have everything configured correctly for threat prevention. Able to see traffic in every log type except for threat. Licensed and download/install is up to date. Been through some generic troubleshooting steps that haven't helped. Any ideas on where I need to go next?

Allowing ms-update on app-default, File blocking PE and therefore no windows updates

New PAN implementation and blocking per PA best practice (PE, multi-level, etc..) and allowing ms-update on application default. However the WSUS server is not able to download any updates and its classifying a PE file as a threat. The file in question is am_delta_patch_1.249.1313.0_52b04aae0eb450654fc89884b43d10b7ed5 and threat-id is 52060 bu...

Zone protection working and logging

Hi dears, I have a query regarding working of #ZoneProtection. What should be the action for #flood protection ? Does the packet allowed or security policy will be checked? Also, packet capture should work if such flood is detected but i am not getting any capture in our logs. Could any one please clarify these? Regards, Sandeep

Blocking Tor with Toro

I recently had to work with local and federal law enforcement to resolve the following. http://www.ktvz.com/news/mtn-view-hs-bomb-threat-traced-to-eugene-14-year-old/653184885 Because of this, I've created a small piece of software (MIT Licensed) that caches the ip addresses of Tor exit nodes, and creates configuration files for different servic...

Changing Severity Alerts for Specific Vulnerability Severity

One of the logging capabilities allows us to provide an email for certain severity alerts. We are getting innodated with alerts coming in from the baddies on the internet for certain types of alerts. For instance, there is the "Netis/Netcore Router Default Credential Remote Code Execution Vulnerability(39587)" and that is a high severity. Sin...

THREAT false positives on MS software when using Global Protect.

I'm seeing what look slike a lot of false positives when using global protect. For example, Microsoft's Logon.exe excutable and any MS Endpoint patchesAn example isAM_Engine_Patch_1.1.15400.4.exeSHA-256 Hash: 74f9dc35fc9f5ab02e46843e8ccf569478961ea58dc2655690516199c1eab928which PAN-OS 8.0.7 is flagging as Virus/Win32.WGeneric.tphtk(214705593) I ...

Issue Content release 8061-4973 on PAN-OS 8.1

Hi all, We have experienced big issues after content release 8061-4973 was installed on our 3250 with PAN-OS 8.1.3: - Threat id 40736 was suddenly blocking a lot of letigimate http(s) traffic.- Radius authentication worked randomly, but 95% of the time NOT.- A download from a Symfony server waits 1 minute before the download starts. After rollin...

Discussions