Blocking & AV

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Blocking & AV

L3 Networker

Hi - we current;y have our PA4050s in aleret mode only on every rule for AV. If we device to turn this to Block for specific rules - what does this actually do if it identifies a virus? Cheers.

22 REPLIES 22

Sounds like a browserbug because an HTTP error should be displayed for the client even when using POST wouldnt it?

Thanks for replying! So are we saying that if it's an upload to a website we won't see the Block page! But if it's a download we would?! I've tried this in IE and FF and the same result so it doesn't appear to be down to the browser. It's not my area of expertise but I would have expected a block page to appear regardless of the direction of the file up/down?

a further question about AV - I applied a profile that had "action=block" for POP3 and IMAP.

whilst the policy does detect the Eicar virus in incoming emails, in the case of POP3 it drops the session when the user tries to download his mail, with no notification to the end-user.  Because of the way POP3 works, he then can't receive any further mails until the infected mail is manually removed from his inbox - so the "block" action for POP3 is effectively unusable (IMAP is similarly opaque but at least the end user can delete the offending mail themselves)

Are there any plans to improve this function? - I appreciate the PAN firewall is not a proxy but most other firewalls I've used that offer email AV just strip out the infected attachment allowing the overall POP3 transaction to complete, whereas PAN's implementation breaks the protocol.

Liam

Liam...As you described, if we strip the infected attachment in an email, we would need to inject a notice in the email to notify the recipient.  Also, we would have to store the infected attachment somewhere so the admin can analyze it, or allow the recipient to overide & download.  This would require a lot more resource (disk space, individual user accts, etc) on the PA device.   Hence, at this time we do not plan on supporting SMTP proxy.

Thanks.

Will the PAN send a TCP-RST or FIN-ACK when a POP3 msg is detected containing malware?

If not... wouldnt it be possible if the PAN just block the download and when the client restarts it (within the same TCP session) the PAN would just return a "-ERR message infected" or similar so the client can continute with next message (depending on email client used)?

A wellwritten email client would then just continue with the other messages.

http://www.ietf.org/rfc/rfc1939.txt

I understand why the firewall is limited in what it can do here, but that doesn't change the fact that this function is unusable in its current form - there should be some way of blocking infected POP3 messages that does not break POP3, otherwise what's the point of having the functionality?

Liam.

The usage is to detect malicious contents within SMTP/POP3, alert the admins, and to compliment existing AV/spam running on the mail servers.  Please submit a feature request with your Palo Alto sales team on the enhancement to the blocking action.  Thanks.

that's what "alert" does and this may be applicable in a small corporate environment where you can follow up with the end-user in question

In our environment we need to be able to block and unfortunately "block" in this case is not usable.  As you suggest I'll request a feature enhancement.

  • 8376 Views
  • 22 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!