LIVEcommunity - Re: Known Malware passing through PA to Client

Bvance · ‎06-07-2012

Hello PAN,

Today I had a client get infected with the "Windows Privacy Module" Fake AV, This wasn't cought by either PAN OS or Trend Micro while a MalwareBytes scan found it and removed it no problem. Is there something more I can do to increase the odds of my PA SG in catching these? I do keep th AV software up to date along with the PAN OS and I do have the Security profile on all ingress traffic set to block.

Thanks,

UhMayYeah · ‎06-07-2012

This looks like a false-negative bypassing PAN-OS firewall.Please open a support case providing following info.

(1) samples pcaps
(2) Reference URL /Links etc. associated with the Virus.

Refer : https://live.paloaltonetworks.com/docs/DOC-1283 for future references.

Thanks ,

Ameya

mikand · ‎06-07-2012

As a sidenote you could also enable ssl decryption in order to be able to inspect also https traffic. Along with (if possible) block .exe and other filetypes from being downloadable by the clients. And to top it off you could enable url categorization and block follow categories:

Keyloggers and Monitoring

Malware sites

Spyware and Adware

Bvance · ‎06-08-2012

Thanks, I'll give these a shot.

Bvance · ‎06-08-2012

From what I have been reading on inbound SSL decryption it looks like we would have to have our own Microsoft certificate server. Is this correct?

Thanks,

mikand · ‎06-08-2012

Thats incorrect.

You need to install a selfsigned CA-cert (along with its private key) in your PA device and then install the public key as "trusted CA" in your clients browsers (if you have an AD you can push this CA public key through GPO).

This CA-cert (for ssl-termination) can be created by using the openssl binary.

However - depending on your company regulations regarding certs and stuff and specially if you already have a PKI infrastructure then I would use the PKI environment to create either a new CA or an intermediate CA to be used in your PA.

View solution in original post