This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Blocking Postal-Receipt.exe

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Blocking Postal-Receipt.exe

HITSSEC
L4 Transporter

‎03-04-2013 06:09 PM

Hello.

We have been having challenges blocking the downloading of  Postal-Receipt.exe and Postal-Receipt.zip being pulled down from web-based email.  The emails convince the user to click on a link similar to http://goodguy.com/wp-content/plugins/akismet/mirror.php?receipt=798_1534586700 causing the encapsulated exe to come down. The bad guys are creating new versions on a regular basis, thus AV is not picking them up. We are playing catch up all the time. We normally have some success with custom vulnerability signatures but this one has us stumped for now.  Any ideas or suggestions would be helpful.

Phil

Labels:
0 Likes Likes
2 REPLIES 2

kbrazil
L4 Transporter

‎03-04-2013 06:22 PM

You may want to enable WildFire by configuring a forward action on a File-Blocking profile.  Wildfire runs the executable in a sandbox environment and checks its behavior to see if it is malicious.  If so, signatures are automatically generated within an hour with the subscription service.  This also feeds into the PAN-DB URL filtering database malware category, so you may also want to block those types of web sites, too.

Also, a Continue action on executable (PE or "portable executable") file downloads can help so the user has to specifically click "Continue" to download the file.  This is called drive-by-download protection.  You can customize the response page to show a warning for these types of files to discourage users from clicking continue.

Both options can be combined, as well.

Cheers,

Kelly

HITSSEC
L4 Transporter

‎03-04-2013 06:35 PM

Thanks Kelly.

Here is a bit more info.  We are running Wildfire (not the subscription service yet).  .  That is how we are being alerted to them. We are still on 4.1.x and will be going to 5.x soon. We will also start using PAN-DB.  The Daily AV definations are not stopping them either.  We have tried continue and forward but the continue prompt caused a lot of issues with our user base.  We are having some success with exe file blocking for normal users (currently being to 10% of our user base). but we are a ways off from deploying this approach to our entire user base.  65% of our wildfire events are the result of people clicking things in email messages that should not. only 35% of them are drivebuy caused.  We are working on user education but that is an effort with longer term results.

Phil

0 Likes Likes
  • 2137 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks