This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

Handling Potention Exploits

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Handling Potention Exploits

Go to solution
jimmy.gonzalez
L1 Bithead

‎12-14-2016 11:41 AM

Recently our company switched to Traps Endpoint protection.  Still in learning mode, and triggered a exploit protection, from what appears to be a word doc.  There is no upload to Wildfire, (thought I did manually retrieve the file and upload it).  How do you all normally verify that it was a exploit and not a false positive?

0 Likes Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
lhayun
L6 Presenter
In response to mmoshiri

‎12-15-2016 07:36 AM

Adding to what Michael already mentioned, the UI provides some visibilty to the event information, but not a complete one. Upon prevention, the agent also create a memory dump of the exploited process and that dump can be retrived from the ESM (using the "retrive data" button in the security event details) and can be analyzed to  better understand the exploitation attempt. Our Support team can also assist with analyzing the event and providing next steps.

View solution in original post

0 Likes Likes
8 REPLIES 8

Go to solution
mmoshiri
L1 Bithead

‎12-14-2016 12:01 PM

Hi Jimmy,

 

Thanks for the question. 

 

Traps does not load exploit samples to WildFire (the way our NGFWs can/do).

 

The exploit prevention capabilities of Traps (EPMs) are injected into each process as it starts (Word, in this case) and detect and block expoitation attempts on the spot. If Traps identified a Word doc as the source of an exploitation attempt, it is safe to assume that it is a weaponized file... or one that was manipulated in some way that triggered an EPM. 

 

The record of the exploitation prevention in the ESM backend will tell you what EPM was triggered. And it will give you some additional information about the event as well.

0 Likes Likes

Go to solution
jimmy.gonzalez
L1 Bithead
In response to mmoshiri

‎12-14-2016 12:16 PM

When you say "The record of the exploitation prevention in the ESM backend will tell you what EPM was triggered. And it will give you some additional information about the event as well.".

 

So  you mean in the ESM console going to the Security Events tab, then going to "Exploits" under the "Notifications" section?

0 Likes Likes

Go to solution
mmoshiri
L1 Bithead
In response to jimmy.gonzalez

‎12-14-2016 12:25 PM

Yes... but under the "Preventions" tab, like the image attached.ESM exploit details.png

0 Likes Likes

Go to solution
jimmy.gonzalez
L1 Bithead
In response to mmoshiri

‎12-14-2016 12:27 PM

We are actually in "learning" mode, so this wasnt prevented, but just a notification.  But I was looking at the same screen.  Thanks.

0 Likes Likes

Go to solution
mmoshiri
L1 Bithead
In response to jimmy.gonzalez

‎12-14-2016 12:28 PM

Oh yes... you did say that. My mistake... so you're on the right track.

0 Likes Likes

Go to solution
lhayun
L6 Presenter
In response to mmoshiri

‎12-15-2016 07:36 AM

Adding to what Michael already mentioned, the UI provides some visibilty to the event information, but not a complete one. Upon prevention, the agent also create a memory dump of the exploited process and that dump can be retrived from the ESM (using the "retrive data" button in the security event details) and can be analyzed to  better understand the exploitation attempt. Our Support team can also assist with analyzing the event and providing next steps.

0 Likes Likes

Go to solution
jimmy.gonzalez
L1 Bithead
In response to lhayun

‎12-15-2016 08:43 AM

Thanks, thats more or less what I was after.  It looks like the retrieve data creates a rule, and then I would retreive the data from the "Monitor",  "Data Retrieval"?

0 Likes Likes

Go to solution
lhayun
L6 Presenter
In response to jimmy.gonzalez

‎12-15-2016 11:15 PM

Exactly. The data retrival create an action for the agent to send the data on the next time it connects to the ESM. Once the data is recieved by the ESM it will appear in the "Data Retrieval" screen.

0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks