Antivirus Decoder Action

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Antivirus Decoder Action

L0 Member

I feel silly asking this - wouldn't you want a deny on any decoder where a virus is detected rather than allowing the traffic and just throwing an alert?

16 REPLIES 16

L7 Applicator

Hello mrsoldner,

As per my understanding, action is taken based on the different severity level of that virus. If that virus is having typically very little impact /or no impact on an organization's infrastructure. Then the action will be set to "alert".

Thanks

L1 Bithead

Setting a block for viruses on smtp will cause the originating server to keep trying to relay the email until a timeout occurs. This could potentially cause a lot of unwanted traffic pointed at your smtp server that is getting blocked over and over by the firewall. That may still be preferred to allowing a virus in via smtp, but it's just something to be aware of.

Hello jtyler,

It's a good example. Smiley Happy

Thanks

Is there somewhere that Virus severity is noted? 

jtyler wrote:

Setting a block for viruses on smtp will cause the originating server to keep trying to relay the email until a timeout occurs. This could potentially cause a lot of unwanted traffic pointed at your smtp server that is getting blocked over and over by the firewall. That may still be preferred to allowing a virus in via smtp, but it's just something to be aware of.

Good point, I did some digging and found this:  Threat Prevention Deployment Tech Note

It looks like some intelligence is built in for SMTP and will send back a 541 response so that the other side doesn't keep resending the email.  POP and IMAP however don't have any intelligence built in.  So, per the doc:

Note: The reason why SMTP, POP3 and IMAP have the default action set to ALERT is because in most cases there is

already a dedicated Antivirus gateway solution in place for these protocols. Specifically for POP3 and IMAP, it is not

possible to clean files or properly terminate an infected file-transfer in-stream without affecting the entire session.

This is due to shortcomings in these protocols to deal with this kind of situation.

Thanks for the help.  I think we'll stick with the defaults for now and potentially ratchet up SMTP.

Hello Mrsoldner,

Every virus signature has different severity. You can find that information from following link. Select type as a "virus".

https://threatvault.paloaltonetworks.com/

You need to feed either virus name or ID.

Regards,

Hardik Shah

hshah wrote:

Hello Mrsoldner,

Every virus signature has different severity. You can find that information from following link. Select type as a "virus".

https://threatvault.paloaltonetworks.com/

You need to feed either virus name or ID.

Regards,

Hardik Shah

Thanks hshah - I've never seen a severity included with a virus though which is why I'm puzzled.  For example:

ID: 3088393

The threat vault just calls it a virus.  It came in via SMTP (which by default, the action is alert) however in the logs it shows it was blocked.

Just making sure I fully understand. 

Hello Mrsold,

My bad, its vulnerability which has sev not anti-virus. Thanks for correcting me.

Regards,

Hardik Shah

HULK wrote:

Hello mrsoldner,

As per my understanding, action is taken based on the different severity level of that virus. If that virus is having typically very little impact /or no impact on an organization's infrastructure. Then the action will be set to "alert".

Thanks

HULK could you clarify?  My antivirus decoder for SMTP is set to "alert" for WildFire and Threat however I am seeing Virus blocks for SMTP traffic. 

you use alert profile but you see block logs ? that is interesting.

L7 Applicator

Another reason the action may be set to alarm rather than deny as the default action is the possibility of false positives.  Palo Alto is pretty good about only setting drop/reset actions to signatures are have virtually no false positives.  You don't want to be blocking too many legitimate sessions.

The alarm option then can give you a report on suspects that can be researched and confirmed.  If you subsequently find that virtually all the alarms are real then you have the option to change the action to a deny/reset instead of alarm.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

panos wrote:

you use alert profile but you see block logs ? that is interesting.

Yeah,  very interesting indeed.  I need to do some more digging...

Yeah panos and HULK - Interesting indeed:

smtp.png

Av Profile:

avprof.png

L0 Member

So, If i'm reading this right - the attachment was blocked but the email allowed?

SS Threat.png

  • 7778 Views
  • 16 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!