01-15-2020 12:58 AM
Hi Team
One of my Customer has configured a custom signature to block the windows 7 machine based on Http request headers. This signature is working but hitting a lot of false positives as well. For example, he can see that window 8 and windows 10 also detected by this signature.
The customer has followed this KB article: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHeCAK
Can you please advise what next can be one
01-15-2020 01:54 AM
Hi @alal
Looking at the KB you post it seems the OS check comes to regex match in the HTTP header user-agent string.
As a start I would suggest you to check the regex expression and see if its match what it is expected or it needs to be improved. It will be useful if you can past it here.
Googling around you should be able to find how different OS versions are described in the user-agent string. My first results says:
For windows 10 it is Windows NT 10.0 for windows 8 it is 6.2, windows 8.1 it is 6.3 and windows 7 it is 6.1.https://stackoverflow.com/questions/40218173/user-agent-for-windows-7-vs-8-vs-10
So the regex expression should look like:
User-Agent:.+Windows NT 6\.1
This is also very useful site - http://www.useragentstring.com/
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
