- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
12-23-2013 07:20 AM
12-23-2013 07:44 AM
Hello COS,
If we have to avoid the threat 36180. Find which security rule is used for Trust to Untrust. In that security rule find the Vulnerability profile. Go to that Vulnerability profile in the Objects Tab > Vulnerability profile Exceptions tab.
Select "show all signatures" search for the threat id 36180. Now chose the action "allow" so that the threat will not be seen in the logs any more. If you want to drop packets or reset or any other action you can select too. But the option Allow only will not log it and all other options would log them.
Hope this helps !
12-23-2013 09:03 AM
Hello Phoenix
if I setup this exception; would we be exposed to this type of attack?
Backdoor:PHP/WebShell.A is a backdoor trojan that allows unauthorized access and control of an affected computer by a remote attacker. The backdoor is written in PHP format and can affect both Windows and Linux operating systems.
http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Backdoor:PHP/WebShell.A
I prefer that alerted me to this threat, but I also like to avoid registering false positives.
What would be the most recommended option (Action)?
Thanks and regards,
01-20-2014 11:36 PM
Well first of all, did you really verify that this actually was a false positive?
If so you could save a recording of the traffic and send to PA so they could update this threatid.
Besides this there is little you can do if you encounter a false positive, either you let this id be active (and analyze each alarm) or you disable this id.
Note that you can choose to disable this id either globally or for a specific flow - in your case if you just want to ignore this alarm you can set it to "allow" for the particular flow (so in case this shows up on some of your other webservers you will still get an alarm).
Also the action can be allow, block or alert. Allow is pretty obvious, block means drop the session AND log while alert means allow the session AND log (while allow means no logging at all).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!