Last week my client suffered a virus attack in its LAN and we have not seen anything in Palo Alto (monitor threat). I wanted to know how good is Palo Alto detecting virus and why reasons the PA didnt detect this virus. Anyone has had any similar problem.
thanks a lot
You can search for the virus that you found with other vendor or etc.. using https://threatvault.paloaltonetworks.com/
maybe there is no signature for that or maybe it is false positive for PaloAlto.
Do you have the traffic logs, and the information about the virus? In cases where the attack could have been a zero day attack, we can use the wildfire functionanlity of the PANFW to report unknown signatures to the cloud, analyze these signatures and determine if they are malicious or not.
Other things to take into account (if the download actually passed the PA) is if ssl was used or not and if so did you have ssl-decryption enabled?
If you have a copy of the malicious file you could try to upload it manually to wildfire and see which opinion wildfire has on the file in question (first login to https://support.paloaltonetworks.com):
DOS protection and Zone protection is typically applied for attacks.
Make sure to apply DOS protection to the security rule.
Zone protection profile needs to be assigned to respective Zone.
Make sure the content is uptodate and security rules are using AV, Vulnerability profile.
If you find some virus which was not covered, pcaps/relevant URLs can be submitted to add the coverage.
Wildfire can be configured which can help us identify the suspicious traffic.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!