Anti-Malware Effectiveness?

cancel
Showing results for 
Search instead for 
Did you mean: 

Anti-Malware Effectiveness?

Not applicable

Hopefully the title will generate some interest and feedback!

To keep this brief, im happy with the effectiveness of the P.A IPS, NSS labs test results proved this and well done PA, it appears to be world class.

The effectiveness of the P.A antivirus / spyware engine is however another kettle of fish. Here i struggle to see the malware protection being anywhere near as effective. To lay some foundation to my observation, our endpoint antimalware solution provides us near real-time alerts of probable virus infection. When researching its obvious the traffic originated from the Internet, usually HTTP 🙂 and yes we are doing SSL decrypt with threat prevention inspection. My experience, based on endpoint alerts, is the firewall is missing more malware than i would have expected. Ps, our endpoint solution has a low false positive detection rate to clarify.

I believe the paloalto A.M solution is proprietary, that they gather signatures from similar providers such as Sophos/Mcafee (supposedly comparable to clamav ?), that antimalware inspection includes HTTP/Javascript with PDF available in PANOS 4.0.1. Thing is, its not proving very effective right now.

So having made this observation, my question now is... does P.A have any reports we can see to view its malware engine effectiveness to say that of Sophos? what's other P.A end users experiences?. It could just be me after all 🙂 and if my observations prove true...what can we expect to see ( from an antimalware perspective) to improve what’s an overall great product.

thank you!

5 REPLIES 5

L4 Transporter

More an observation than anything I've gone into in any depth, but our PAN doesn't seem to stop much at all in the way of viruses/malware, its usually down to the desktop A/V.

I'd be very interested in any recommendations from Palo Alto on what should be tweaked in addition to simply enabling the default av/malware policies on the outbound traffic rules that you want to protect.

L4 Transporter

Thanks for the feedback. The antivirus engine is not equivalent to a desktop AV engine and shouldn't be compared that way. Desktop AV engines inherently have advantages in terms of detecting malware. They have the advantage of seeing the file run, what behavior it exhibits on the endpoint, what files it changes, etc. If the virus is in obfuscated javascript, the browser will de-obfuscate the javascript which also gives desktop antivirus clients an advantage. With that being said, we have approached AV test houses like VirusBulletin, AVtest.org and AV-comparatives, but they only test software based client engines. We could go through ICSA, but it's quite expensive and doesn't really offer testing for the effectiveness of scanners. We are a defense in depth solution that can scan for viruses at high speed on the network. We don't have a lot of coverage for viruses that we view as not actively spreading and often deprecate coverage for those while providing coverage for viruses seen actively spreading in the wild.

We are looking at various ways to complement our signature detection engine with heuristic/behavior based methods for discovering infected hosts in the network based on network traffic that we detect. In PAN-OS 4.0, we introduced a botnet detection report that does just that. We are constantly looking at ways to improve both signature and heuristic detection mechanisms and welcome feedback from our customers.

Thanks,

Alfred

Hi Alfred

Thanks for the reply. Yes i take the point that client side AV has an advantage over "inline" scanning and i can see that it appears as tho i was comparing the two, i actual wasnt but for trying to make the point that 98% of my AV alerts originate locally now.  Its not to say we have that many alerts....just my observation that there are precious few virus / spyware the firewall blocks and based on a previous proxy + av scanning solution we saw more "hits".

So from that perspective i became curious as to how PA measure the effectiveness of their solution. Keep me posted if you do manage to get some "accreditation" or the like.

thanks again.

L1 Bithead

From my experience the PA IPS functionality appears very good, but the antivirus/antispyware doesn't seem to do much of anything.  So far our PA has detected 0 malware or spyware instances and our desktop AV has detected 8 separate instances (in past 3 months). 

I opened a support case but it's been open for 2+ weeks now and not any resolution.  Support is asking for packet captures on stuff that happened 2.5 weeks ago...

I'm happy with the overall product, but I don't think the inline antivirus product is all that effective.

For what it's worth, I'm blocking all critical vulnerabilities, critical/high spyware, and all viruses. In the last week I blocked 100 vulnerabilities, 700 instances of viruses, and 900 instances of spyware. I used the built in custom reports to get this data out of the firewall.

However, I haven't gotten as many phone calls as I would have expected. I usually only get a couple of phone calls every month. That said, I am just scanning for spyware, viruses, and vulnerabilities. I have not blocked any of the confirmed spyware via URL filtering.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!