Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
12-10-2014 12:31 AM
Hi,
We are receiving the same emails,which last 28/11/14, infected our system with cryptoloker. These links come from different domains but have in common the following url
http://xxxxxxxx.xx/Billing/invoice.zip. How could we avoid that if someone clicks the link, not end infecting our systems?
any advice?????
thanks
12-10-2014 12:49 AM
Hello COS
Do You have av/threat/WildFire protection applied on security rules that passing traffic to internet?
Have You latest updates applied? Cryptolocker is well known malware (but it's still changing its code). Did You create a support case for this false positive?
In my opinion You have to create data filtering if the filename is always "invoice.zip" I try to find examples in archiwum but I didn't find any examples how to get it.
I hope that someone give You examples.
Regards
Slawek
12-10-2014 12:55 AM
we have only URL filtering license. We have updated the virus/threats signatures. We have thought add in block list (URL filtering profile) this line */invoce.zip
it would work?
12-10-2014 01:10 AM
Did You read:
http://researchcenter.paloaltonetworks.com/2013/11/palo-alto-networks-can-stop-cryptolocker/
Please follow this documents carefully, Cryptolocker isnt a "simple" malware, so without additional licences I think that i will be hard to detect and stop them
Regards
Slawek
12-10-2014 01:14 AM
which license is necessary to use FILE BLOCKING???
we have only URL FILTERING and THREAT PREVENTION licenses.
12-10-2014 02:35 AM
According to Data Filtering and File Blocking - Palo Alto Networks and my understanding it using THREAT PREVENTION licenses
Regards
Slawek
12-10-2014 10:23 AM
Are you using a spam filter? May be blocking the incoming emails filtering by attachment or content may be a quicker solution.
Or create a data filtering profile for file type .zip, direction = download, with regex to match invoice.zip, and then apply it to your security policies. Note: I haven't tested this.
Larry
12-10-2014 05:22 PM
Yet another option to help you prevent further infections...
http://xxxxxxxx.xx is most likely a shady domain.
You can respond the DNS Query with a Honeypot IP and do DNS Sinkhole, thus preventing the infection.
Check out:
12-10-2014 11:18 PM
Hello
The problem is the mail sender and the name of attached file within changes, this happened several weeks ago and I created a rule tu deny the source, but now the source is different and also the file name.
So data-filtering to deny incoming zip files with the regex "invoice.zip" won't be usefull in the future, and redirect the web page to a honeypot or sinkhole has the same problem, it changes in time.
I read the post from Slawek and could be usefull. I will kept you inform.
best regards
Gonzalo
12-11-2014 04:10 AM
Hello
Two more docs:
Ensuring Optimum Protection for CryptoLocker and P2PZeus (GameOverZeus)
How to Deal with Conficker using DNS Sinkhole
I hope that will be helpfull for You
Regards
SLawek
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
