07-30-2024 09:34 PM
The mail server resides on the network inside PaloAlto.
I am trying to add a feature to use STARTTLS for SMTP/25 from the mail server to the Internet.
I implemented STARTTLS decryption (Forward Proxy) on the PaloAlto and sent an email with Eicar Virus to the Internet via the mail server and it was sent without being blocked.
The PaloAlto threat log shows that the Virus is recognized and the Action shows “reset-both”, but it is not actually blocked.
As a test, I disabled STARTTLS on the mail server, and the mail with Eicar was blocked. (However, this time it was simply TCP RESET, not the 541 code, so we recognize this as a problem as well.)
What do you think is the cause?
09-29-2024 05:29 PM
After contacting the PaloAlto Support team, it was determined that this phenomenon is a PAN-OS issue.
At this time, PaloAtlo continues to send SMTP emails using STARTTLS communication even after malware/viruses have been detected.
PaloAlto is currently working on a patch to correct this issue.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
