- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
- Panorama
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- CN-Series
- VM-Series:
- Private Cloud
- OCI
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
- Cortex Xpanse
Security Operations
- Resources
- COVID-19 Response Center
block files with multiple level of compression
- LIVEcommunity
- Collaboration
- Discussions
- General Topics
- block files with multiple level of compression
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
03-21-2013 02:46 AM
I want to block all kind of compressed files with more than the support 2 levels of compressions. Is this possible?
Accepted Solutions
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
03-22-2013 04:18 PM
PAN performs a maximum of 2 levels of decompression
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
03-22-2013 02:47 PM
You mean like an arj within a rar within a zip?
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
03-22-2013 04:18 PM
PAN performs a maximum of 2 levels of decompression
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
03-27-2013 06:25 AM
I know that the pa supports only 2 levels. My question was: Can i block files with more than 2 levels? In a test scenario, a exe file within a multiple zip file was not sent to wildfire.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
03-27-2013 06:26 AM
Manually unpacking the file und uploading the exe to wildfire revealed a 0day infected file.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
03-27-2013 06:32 AM
Be uploaded to wildfire only PE files. if more than 2 level of compression, file is seen as zip then no PE then no wildfire 🙂
In my mind not able to block file with more than two level of compression.
V.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
03-27-2013 12:38 PM
Hello,
You cannot block files with more than 2 levels of compression today. If you would like this functionality, please contact your SE to submit a feature request.
Thanks,
Doris
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
05-14-2013 05:40 AM
So, I just did a test by FTPing a malicious .exe file that was compressed inside of a .ZIP. My Data Filtering log shows the action for the .PE file within the .ZIP as "forward" however, I did not receive anything from the Wildfire Cloud. Also, the Wildfire Portal has no entry for this file being uploaded.
Any insight as to why Wildfire did not receive the file that had the "forward" action?
Thanks,
Jeff
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
05-14-2013 05:44 AM
We have seen the same issue... files that are apparently "forwarded" to WildFire never show up as malicious, even files that we know are malicious.
We have asked Palo Alto for a test .exe that we can send across the network and will always flag as malicious... another malware appliance we have does this exact thing (similar to the EICAR antivirus file you can test AV solutions with)
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
05-14-2013 05:52 AM
What I do to get malicious files to test with Wildfire, is go to malc0de.com, go to the Tools menu and then click on "Search Malc0de Database". Then I type in .exe in the search window. This will pull up a list of files that are either malicious or at benign but, will actually trigger Wildfire actions on the PANW. I download that files to my Macbook so, they will not infect my machine. So far, so good for exercising Wildfire actions and the portal.
- Delete a single file from multiple files in Cortex XSOAR Discussions
- GP Issue Gateway Fake in GlobalProtect Discussions
- Threat Log False Positives in Threat & Vulnerability Discussions
- Latest DDOS attack related issue on Palo alto in Threat & Vulnerability Discussions
- Issue with Global protect VPN in General Topics
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
