07-02-2012 09:08 AM
Hi,
in one customer setup we face the following problem: We disabled EXE file downloading. In order do allow services to update we use an application filter with subcategory update and allow that traffic. Works like a charm for google-update, ms-update etc. However today I noticed tons of blocks from xxxxxx_Chrome_updater.exe (xxxxx being date, version etc.). The application is "web-browsing". So the update process is not discovered as being an update application. Is this an error or missing feature in the app-id? How can I whitelist this or make a custom application out of this? We see this more often with special EXEs we need to whitelist. Any idea of how to achieve this?
Kind regards,
JP
07-02-2012 11:11 AM
1) You posted in wrong subforum - hopefully someone from PA could move your thread so more people will notice it 🙂
2) You can request app enhancement from the Apps and Threats Research Center.
http://www.paloaltonetworks.com/researchcenter/tools/
From there you can click on Submit an app and provide details there.
3) As workaround I think you can do an "application override" if you have something to trigger at. Like:
dsturl: update.google.com
appid: web-browsing
file: .exe
new appid: google-update
07-02-2012 12:50 PM
Hi.
ad 1) sorry. which one would have been more suitable? Still have to find my way around Jive I suppose...
ad 2) Done.
ad 3) This is more or less exactly what I want. But I fail to see where/how to do this.
dsturl: update.google.com does not exist. I am trying to figure out which one is the correct URL. I started a pcap and hope that the next request will show the necessary information.
But how do you configure this sort of application override? The ones I know are based on source/destination IP/port not application/file etc. I could create a new application which is based on signatures but how? Where to put the url (request uri?) and how to match on the filename (I would need a regex for that if regex is supported).
Kind regards,
JP
07-02-2012 01:24 PM
1) Click on Home in the upper left then on KnowledgePoint and finally Discussion 🙂
3) Oops sorry... application override doesnt act on url. However you can go for dstip (which I guess wont work in this case since its Google we speak about and too many ip's).
Custom application would then be the way to go...
I think something like this might help you:
parent-app: web-browsing
defaults port: tcp/443 (assuming its using https only)
ip protocol: 6 (tcp)
scanning: file-types, data-patterns, viruses
and then the actual signature... check page 171 in the admin guide for examples.
Since this is mainly to allow traffic I think you should be as narrow as you possible can.
Dont forget to have ssl-termination running in order to inspect the https contents.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
