Hopefully the title will generate some interest and feedback!
To keep this brief, im happy with the effectiveness of the P.A IPS, NSS labs test results proved this and well done PA, it appears to be world class.
The effectiveness of the P.A antivirus / spyware engine is however another kettle of fish. Here i struggle to see the malware protection being anywhere near as effective. To lay some foundation to my observation, our endpoint antimalware solution provides us near real-time alerts of probable virus infection. When researching its obvious the traffic originated from the Internet, usually HTTP 🙂 and yes we are doing SSL decrypt with threat prevention inspection. My experience, based on endpoint alerts, is the firewall is missing more malware than i would have expected. Ps, our endpoint solution has a low false positive detection rate to clarify.
So having made this observation, my question now is... does P.A have any reports we can see to view its malware engine effectiveness to say that of Sophos? what's other P.A end users experiences?. It could just be me after all 🙂 and if my observations prove true...what can we expect to see ( from an antimalware perspective) to improve what’s an overall great product.
More an observation than anything I've gone into in any depth, but our PAN doesn't seem to stop much at all in the way of viruses/malware, its usually down to the desktop A/V.
I'd be very interested in any recommendations from Palo Alto on what should be tweaked in addition to simply enabling the default av/malware policies on the outbound traffic rules that you want to protect.
We are looking at various ways to complement our signature detection engine with heuristic/behavior based methods for discovering infected hosts in the network based on network traffic that we detect. In PAN-OS 4.0, we introduced a botnet detection report that does just that. We are constantly looking at ways to improve both signature and heuristic detection mechanisms and welcome feedback from our customers.
Thanks for the reply. Yes i take the point that client side AV has an advantage over "inline" scanning and i can see that it appears as tho i was comparing the two, i actual wasnt but for trying to make the point that 98% of my AV alerts originate locally now. Its not to say we have that many alerts....just my observation that there are precious few virus / spyware the firewall blocks and based on a previous proxy + av scanning solution we saw more "hits".
So from that perspective i became curious as to how PA measure the effectiveness of their solution. Keep me posted if you do manage to get some "accreditation" or the like.
From my experience the PA IPS functionality appears very good, but the antivirus/antispyware doesn't seem to do much of anything. So far our PA has detected 0 malware or spyware instances and our desktop AV has detected 8 separate instances (in past 3 months).
I opened a support case but it's been open for 2+ weeks now and not any resolution. Support is asking for packet captures on stuff that happened 2.5 weeks ago...
I'm happy with the overall product, but I don't think the inline antivirus product is all that effective.
For what it's worth, I'm blocking all critical vulnerabilities, critical/high spyware, and all viruses. In the last week I blocked 100 vulnerabilities, 700 instances of viruses, and 900 instances of spyware. I used the built in custom reports to get this data out of the firewall.
However, I haven't gotten as many phone calls as I would have expected. I usually only get a couple of phone calls every month. That said, I am just scanning for spyware, viruses, and vulnerabilities. I have not blocked any of the confirmed spyware via URL filtering.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!