re: 01339413

Reply
Highlighted
L2 Linker

re: 01339413

Hi Team 

 

One of my Customer has configured a custom signature to block the windows 7 machine based on Http request headers. This signature is working but hitting a lot of false positives as well. For example, he can see that window 8 and windows 10 also detected by this signature.

 

The customer has followed this KB article: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHeCAK

 

Can you please advise what next can be one 

 

Highlighted
L4 Transporter

Hi @alal 

 

Looking at the KB you post it seems the OS check comes to regex match in the HTTP header user-agent string.

As a start I would suggest you to check the regex expression and see if its match what it is expected or it needs to be improved. It will be useful if you can past it here.

 

Googling around you should be able to find how different OS versions are described in the user-agent string. My first results says:

For windows 10 it is Windows NT 10.0 for windows 8 it is 6.2, windows 8.1 it is 6.3 and windows 7 it is 6.1.

https://stackoverflow.com/questions/40218173/user-agent-for-windows-7-vs-8-vs-10

So the regex expression should look like:

User-Agent:.+Windows NT 6\.1

 

This is also very useful site - http://www.useragentstring.com/

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!