Decrypt STARTTLS SMTP protocol but not blocked Virus File

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Decrypt STARTTLS SMTP protocol but not blocked Virus File

L1 Bithead

The mail server resides on the network inside PaloAlto.
I am trying to add a feature to use STARTTLS for SMTP/25 from the mail server to the Internet.

I implemented STARTTLS decryption (Forward Proxy) on the PaloAlto and sent an email with Eicar Virus to the Internet via the mail server and it was sent without being blocked.

The PaloAlto threat log shows that the Virus is recognized and the Action shows “reset-both”, but it is not actually blocked.

As a test, I disabled STARTTLS on the mail server, and the mail with Eicar was blocked. (However, this time it was simply TCP RESET, not the 541 code, so we recognize this as a problem as well.)

What do you think is the cause?

 

2 REPLIES 2

L1 Bithead

PAN-OS version is 10.2.9-h1 .

After contacting the PaloAlto Support team, it was determined that this phenomenon is a PAN-OS issue.
At this time, PaloAtlo continues to send SMTP emails using STARTTLS communication even after malware/viruses have been detected.

PaloAlto is currently working on a patch to correct this issue.

  • 624 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!