Domain is pointed as Malware

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Domain is pointed as Malware

Not applicable


Hello,

today we had a suspicious DNS Query  warning because we tried to reslove a domain (pandaro.be).

So Palo Alto gets information about domains and checks some information about these domeains.

My questions about this:

1/ What is PA using  to decide which status a domain gets

2/ What is PA checking at a domain to decide about the status

2/ If a domain is known as Malware what has to be done to get it clean

Thanks and Greetings,

Rene

2 REPLIES 2

L4 Transporter

The Websites are categorized by Brightcloud if you have that subscription or by Palo if you are using Palo's. If this was a threat (shows up in the threat log), then it matches a signature defined as a threat/vulnerability. All (decent) firewall's use "signatures" or criteria that defines legit from illegitimate or questionable traffic. Most threats/vulnerabilities are already recognized/categorized by varying groups including the software makers themselves, and are submitted to the MITRE and is included in the NVD  called CVEs (Computer Vulnerabilities & Exposures). If I understand you correctly you saw the following threat:

DNS ANY Suspicious Query

Overview

Attack NameDNS ANY Suspicious Query
DescriptionThis alert indicates a suspicious specific DNS ANY reques.
Threat ID35184
Referenceshttps://isc.sans.edu/diary.html?storyid=13261
Severitymedium
Categoryinfo-leak
The inherent vice of capitalism is the unequal sharing of blessings; the inherent virtue of socialism is the equal sharing of miseries.

L3 Networker

Hello Wolfrene,

PA is using a combination of the category of the URL, Known CVE IDs that may be associated with a domain.

The Palo Alto content team constantly keeps monitoring and reevaluating the malicious or benign nature of such URLs.

The best way to get a domain clean that has been categorized as Malware is to have a TAC case opened up with pcaps of the threat traffic ( this can be done by enabling pcap on the threat profile that triggered this threat log), screen shot of the threat log and the tech support file.

The TAC will have this domain re-evaluated by the Content team and if changes are made to this threat signature then push the change with the next content release.

  • 2983 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!