This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Anti-Spyware Behaviour and Inline Cloud Analysis

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Anti-Spyware Behaviour and Inline Cloud Analysis

nohash4u
L3 Networker

‎05-09-2025 01:35 PM

Hello All, 

 

I have run into some curious behaviour with Anti-Spyware. High severity threats tagged as threat type 'spyware' are coming through the firewall with an action of alert, despite all configurations pointing to an action that should either be reset-both, or sinkhole

 

I have confirmed the following: 

  • The security policy rule that matches the traffic does have the correct security profile group set. 
  • The security profile group set does reference the specific Anti-Spyware security profile. 

Within the Anti-Spyware profile here is the breakdown: 

  • Signature Policies 
    • Severity medium, high, and critical all have an action of reset-both.  
  • Signature Exceptions 
    • None. 
  • DNS Policies 
    • All signature sources have a log severity set to high, and an action of sinkhole
  • DNS Exceptions 
    • None. 
  • Inline Cloud Analysis 
    • Enabled. 
    • The action for all models is set to alert

Could this behaviour be a result of inline cloud analysis?

 

Is there a way to tell if the traffic flow has had inline cloud analysis applied to it? If so, I have not found a way to tell as of yet. I have checked the columns available in the threat logs, as well as the Detailed Log View, but to no avail. 

 

I would like to note that the threat ID is identified in each traffic flow. An example is 109010004.  

 

As always: any insight is much appreciated! 

0 Likes Likes
4 REPLIES 4

kiwi
Community Team Member

‎05-12-2025 01:30 AM - edited ‎05-12-2025 01:31 AM

Hi @nohash4u ,

 

Try enabling the threat category in the detailed threat logs (enable the column if needed). 

 

Notice in my example screenshot how the inline-cloud-c2 category has the "alert" action for high severity threats indicating that the Inline Cloud engine took action as opposed to the anti-spyware engine (where the action would be reset-both).

 

 

kiwi_3-1747038617554.png

 

 

Hope this helps,

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

nohash4u
L3 Networker

‎05-12-2025 10:13 AM

Hello @kiwi

 

Thanks for the great insight on how to determine if a threat is identified via Inline Cloud Analysis. In my case I have yet to see this appear under the threat category column.

 

Here is an example:

nohash4u_0-1747069459863.png

 

On another thread - it is almost as if layer 7 inspection is not occurring or functioning properly. I did notice the security policy rule that matches these traffic flows has the 'Disable Server Response Inspection' option enabled. Would this have an implication on DNS related traffic flows ? Even so, I find it interesting that the flow is marked with a certain severity, and yet the prescribed action is not enforced. 

 

Lastly, could this be timeout related? I have noticed via the detailed log view that the flows start with an action of alert, and end 30 seconds later with an action of allow.  

 

Thanks again for your insight. 

 

0 Likes Likes

Raido_Rattameister
Cyber Elite
Cyber Elite
In response to nohash4u

‎05-12-2025 12:10 PM

Enabling "Disable Server Response Inspection" is very insecure practice because you will bypass whole server to client flow from inspection.

Could make sense only for incoming traffic towards web servers that you control and really trust that they are not hacked and don't host anything malicious and you really need to reduce load on the firewall.

Principal Architect @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
0 Likes Likes

nohash4u
L3 Networker
In response to Raido_Rattameister

‎05-12-2025 03:50 PM

Thanks for confirming. The documentation also strongly advises against enabling DSRI. I did not configure this device, but I will pass this along in my future discussions. 

Regardless, the main unknown is the action of alert for high severity DNS based threats being inconsistent with the configuration on the firewall.  Would enabling DSRI interfere with the enforcement behaviour? If so, why is the action alert with the threat ID identified as something that should be sinkholed, reset-both, etc? 

 

More than happy to open a TAC case, but I thought I would ask here first! 

0 Likes Likes
  • 387 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks