Antivirus Decoder Action

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Antivirus Decoder Action

L0 Member

I feel silly asking this - wouldn't you want a deny on any decoder where a virus is detected rather than allowing the traffic and just throwing an alert?

16 REPLIES 16

Hello mrsoldner,

I was able to confirm couple of things.

- mrsoldner hitting Bug# 57763

- workaround is to define explicit "alert" instead of "default(alert)" for WF Action

- permanent fix is in PanOS 5.0.10

Regards,

David

Hey

Some more information on why default action is set to alert for POP3, IMAP and SMTP instead of block.

* POP3/IMAP + block -> A virus mail will be blocked. BUT: You can not get a new email from this server until the virus email is deleted from the server. Because the whole POP3 session will be dropped each time you retry to retrieve you emails, since emails are not send separately with this protocol.

* SMTP + block -> An SMTP 541 error message will be sent as part of the block action when a virus is detected. This will tell the mail server not to retry sending the message, allowing the firewall to drop the mail without the mail server trying to resend it. So I don't realy see why the default action would be just alert. I guess some smtp servers will not listen to these 541 error messages and keep resending the email...

  • 7779 Views
  • 16 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!