12-05-2011 09:27 AM
Hi - we current;y have our PA4050s in aleret mode only on every rule for AV. If we device to turn this to Block for specific rules - what does this actually do if it identifies a virus? Cheers.
02-28-2012 12:06 AM
Sounds like a browserbug because an HTTP error should be displayed for the client even when using POST wouldnt it?
02-28-2012 02:38 AM
Thanks for replying! So are we saying that if it's an upload to a website we won't see the Block page! But if it's a download we would?! I've tried this in IE and FF and the same result so it doesn't appear to be down to the browser. It's not my area of expertise but I would have expected a block page to appear regardless of the direction of the file up/down?
03-02-2012 04:07 AM
a further question about AV - I applied a profile that had "action=block" for POP3 and IMAP.
whilst the policy does detect the Eicar virus in incoming emails, in the case of POP3 it drops the session when the user tries to download his mail, with no notification to the end-user. Because of the way POP3 works, he then can't receive any further mails until the infected mail is manually removed from his inbox - so the "block" action for POP3 is effectively unusable (IMAP is similarly opaque but at least the end user can delete the offending mail themselves)
Are there any plans to improve this function? - I appreciate the PAN firewall is not a proxy but most other firewalls I've used that offer email AV just strip out the infected attachment allowing the overall POP3 transaction to complete, whereas PAN's implementation breaks the protocol.
Liam
03-03-2012 07:58 AM
Liam...As you described, if we strip the infected attachment in an email, we would need to inject a notice in the email to notify the recipient. Also, we would have to store the infected attachment somewhere so the admin can analyze it, or allow the recipient to overide & download. This would require a lot more resource (disk space, individual user accts, etc) on the PA device. Hence, at this time we do not plan on supporting SMTP proxy.
Thanks.
03-03-2012 01:48 PM
Will the PAN send a TCP-RST or FIN-ACK when a POP3 msg is detected containing malware?
If not... wouldnt it be possible if the PAN just block the download and when the client restarts it (within the same TCP session) the PAN would just return a "-ERR message infected" or similar so the client can continute with next message (depending on email client used)?
A wellwritten email client would then just continue with the other messages.
03-05-2012 05:40 AM
I understand why the firewall is limited in what it can do here, but that doesn't change the fact that this function is unusable in its current form - there should be some way of blocking infected POP3 messages that does not break POP3, otherwise what's the point of having the functionality?
Liam.
03-05-2012 09:28 AM
The usage is to detect malicious contents within SMTP/POP3, alert the admins, and to compliment existing AV/spam running on the mail servers. Please submit a feature request with your Palo Alto sales team on the enhancement to the blocking action. Thanks.
03-06-2012 04:02 AM
that's what "alert" does and this may be applicable in a small corporate environment where you can follow up with the end-user in question
In our environment we need to be able to block and unfortunately "block" in this case is not usable. As you suggest I'll request a feature enhancement.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
